This is a simple, quick and dirty script designed to remove JNDI functionality from the Log4j packages present in your Minecraft installs. It requires Python 3, and should work on any operating system (although it's only been tested on Linux).
Currently, official versions of Minecraft cannot be modified in-place – the launcher redownloads
version_manifest_v2.json at each launch and detects that the files have been tampered with. As a workaround, the script will make a copy of each version it modifies and append the '-patched' suffix.
I've created a patched build of Forge 1.16.4, which works on both clients and servers. You should be using the patched build instead of this script.
Why use this script?
First of all, this patch script (theoretically) works on old and modded versions of Minecraft, so you can keep playing those versions. Additionally, as of the time of writing, the latest version of Minecraft still uses a vulnerable version of Log4j (2.14.1), which this script fixes.
This version updates the libraries to Log4j 2.17.1, instead of modifying the existing JARs. This is a more effective patch method, and you should apply this update even if you've run the v1.0 patch.