Patch up security vulnerbility CVE-2021-44228 (also known as Log4Shell) for minecraft forge 1.7.10 - 1.12.2, by removing JNDI lookup from Interpolator using reflection and replace the default LoggerContextFactory to catch any LoggerContext loaded after this mod. For more specific technical explainations on how I patched it, please refer to the source code instead.

Currently only works for minecraft 1.12 and before. Tested on 1.7.10 and 1.12.2.

Compatibility

If any mod tries to programatically tweak logging configuration, they will fail miserably due to the exhaustive patching. To fix this, healer postpones the patching late enough, until said mods are done with their editing.

As of date, healer has built in support for these mods.

ForgeEssentials

If you have other mods crashing with log lines like ClassCastException: cannot cast XXXXXXXX to org.apache.logging.log4j.core.impl.Log4jContextFactory, then you have step on one of these mods.

To fix this, complain at my issue tracker, or add -Dnet.glease.healer.patch_stage=XXXX to your JVM launch argument, where XXXX can be any of PRELOAD, PREINIT, INIT, POSTINIT (in time order, with earliest as the first). PREINIT is usually enough to mitigate the problem, POSTINIT should be enough to fix all problem.

To ordinary players

If your launcher has patched this already, you will not need this mod to patch the vulnerability.
If you applied mojang's fix, you will not need this mod to patch the vulnerability.
If you have FoamFix for 1.7, you will not need this mod to patch the vulnerability.
If you have used other fixing mods, ask their original authors if they can "catch any LoggerContext loaded after their mod", if yes, you will not need this mod. Otherwise, replace that mod with this mod, or use a launcher that does patching for you, e.g. MultiMC.

To modpack makers

Suggested to include in at least server pack.

Client side: in general not needed, unless your player has been living under a rock or intend to play with cracked launchers (which has its own set of implications, and is legally forbidden) that do not patch this. It has been ONE FULL YEAR since log4shell has been disclosed after all.
Server side: greatly suggested unless you have an equivalent mod. If you also distribute a server pack, and it is intended for minecraft 1.7~1.12.2, adding this mod is not necessary if you applied mojang's fix. However, since many people don't use the StartServer.bat (or something alike) that come with your server pack, chances are they will not use mojang's fixed log4j2.xml. There are also minecraft server rental service that does not allow customizing the launch command (yes my first server was like that). Technically you should not distribute an edited minecraft_server-1.7.10.jar, so adding this jar would be the most straightforward way of ensuring your server owners getting a fix.