Skip to main content
The Docker Minecraft Server image automatically applies all official Log4j vulnerability mitigations during container startup.

Automatic Protection

All official Log4j mitigations released by Mojang are automatically applied by the container startup process.
Please ensure you have pulled the latest image to receive the most recent security patches and mitigations.

How It Works

The container includes built-in Log4jPatcher functionality that:
  1. Detects vulnerable Log4j versions in your Minecraft server JAR files
  2. Automatically applies the appropriate patches during startup
  3. Protects against known CVE vulnerabilities including CVE-2021-44228 (Log4Shell)
  4. Works with all server types (Vanilla, Paper, Spigot, Forge, Fabric, etc.)

Updating Your Image

To ensure you have the latest security patches:
1

Pull the latest image

docker pull itzg/minecraft-server:latest
2

Restart your container

docker compose down
docker compose up -d
3

Verify the update

Check the container logs for Log4j patching messages during startup.

Verification

When your container starts, you should see log messages indicating that Log4j patching has been applied (if needed). The patcher will:
  • Report which JAR files were scanned
  • Indicate if vulnerabilities were found
  • Confirm successful patching
Never disable Log4j patching. The automatic patching process is a critical security feature.

Additional Security Best Practices

Beyond Log4j patching, consider these security measures:
  • Keep images updated: Regularly pull the latest image to receive security updates
  • Use specific version tags: Consider using version-specific tags (e.g., java21) for production
  • Monitor security advisories: Watch the official repository for security announcements
  • Limit network exposure: Use firewalls and network policies to restrict access
  • Review server logs: Regularly check logs for suspicious activity

Build docs developers (and LLMs) love

Get started for freeTalk to us