jmeter 5.4.1 ships with log4j2 in version 2.13.3 which is vulnerable to the Apache Log4j CVE-2021-44228 vulnerability. Older versions also ship with affected versions of log4j2. The log4j2 library should be updated to 2.15.0 containing a fix.
The upcoming version would include the fix, see https://github.com/apache/jmeter/pull/680
*** Bug 65750 has been marked as a duplicate of this bug. ***
*** Bug 65751 has been marked as a duplicate of this bug. ***
*** Bug 65752 has been marked as a duplicate of this bug. ***
*** Bug 65753 has been marked as a duplicate of this bug. ***
more vulnerability vahe been detected in log4j2 <= 2.16.0 (CVE-2021-45105, CVE-2021-45046). So the minimum version of the log4j2 library should be 2.17.0.
Pasting the response of Phillippe from Twitter. JMeter is not concerned by this CVE-2021-45105 we don’t use such fragile patterns in the config. Also JMeter is not a server application and this CVE relates to DOS not control of server.
I noticed that another vulnerability has been found in version 2.17.0 of log4j: https://logging.apache.org/log4j/2.x/index.html 2.17.1 fixes this.
+1 to Arjan I greatly appreciate the Christmas Eve security release (upgrade to 2.17.0), but looks like Krampus delivered another vulnerability with CVE-2021-44832. That security patch was delivered a few days after Christmas. AFAIK, the only robust fix is upgrading to 2.17.1. https://logging.apache.org/log4j/2.x/security.html FWIW, I noticed the issue when the CloudStrike CAST tool flagged this file as vulnerable: /usr/local/Cellar/jmeter/5.4.3/libexec/lib/log4j-core-2.17.0.jar
*** Bug 65808 has been marked as a duplicate of this bug. ***
Hi, are there any plans to make a release using the 2.17.1 version of log4j? My customer has locked the available versions in our maven repository to 2.17.1 and higher, which breaks my maven build using the maven-jmeter plugin to run performance/regression tests. This plugin relies on the declared dependencies of jmeter artifacts to set up a running jmeter instance and so tries to downöoad the 2.17.0 version of log4j. Regards René Brandenburger
In https://ardesco.lazerycode.com/oss/2021/12/28/fixing-security-flaws-with-the-jmeter-maven-plugin.html are described a couple of workarounds. The last looks like a good solution to me, but note, that I haven't tested it.
*** Bug 65926 has been marked as a duplicate of this bug. ***
[Bug 65926] JMeter latest version 5.4.3 is updated to log4j 2.17.0 , But our security wants to upgrade to 2.17.1 . When and which release apache JMeter be available with log4j version 2.17.1 . Its critical.
JMeter 5.5 is currently being prepared to be voted on (and if vote succeeds, it will be released with log4j2 2.17.2). For those who which to use older versions of JMeter which were shipped with an old version of log4j2: You can replace the shipped log4j2 jars (located in the lib folder) with newer ones (tested with log4j2 2.17.2, but any 2.x version is probably fine). For more details look into the linked PR https://github.com/apache/jmeter/pull/680
I did replace the shipped log4j2 jars (located in the lib folder) with newer ones with my old JMeter 5.2.1 install and it worked . Will same work for Older JMeter 4.0 and JMeter 3.3 . Though I did not see any error in log when loading JMeter but will new log4j jars wor with JMeter 3.3 and 4.0
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5601