All information below is accurate to the best of our knowledge, however due to this being an ongoing issue please remain on the safe side of things and be cautious.
Our recommendation is to not connect to ANY servers or RUN any servers until mojang has made an official announcement regarding this issue
TL;DR The RCE in question relates to the logging library Log4J, any message logged can access JNDI, via this classes can be injected into the java runtime, more details in the article above
Warning: The Article is highly technical, read the below if you do not understand it
The Above exploit was introduced in Log4J 2.0. All Minecraft versions 1.7 (and its Snapshots) and above contain this version
All versions above 1.7 and it's Snapshots are affected
Minecraft logs many things sent from clients via Log4j, the simplest and easist to exploit example of this would be Chat Messages
If you are on 1.17 or 1.18 and are using the official launcher and *are not using modded this will fix the issue (please keep an eye on that tweet in case there are updates)
If you are NOT on the official launcher, are using modded, or are on 1.16 or below:
Do not connect to any servers, there is simply nothing you can do until Mojang fixes the issue
Play Single Player.
If your server is on 1.17 or 1.18 you can add -Dlog4j2.formatMsgNoLookups=true
to your user_jvm_args.txt
file
Please read and understand the disclaimer at the top of this document before proceeding
If your server is on 1.16 or below Shut it down, there is nothing you can do about this issue until the relevant software are fixed by Mojang
Wait for a public announcement from Mojang or any follow up messages to this document.