65808 – Log4J Security Risk in 5.4.3

Bug 65808 - Log4J Security Risk in 5.4.3

Summary: Log4J Security Risk in 5.4.3

Status:	RESOLVED DUPLICATE of bug 65748

Alias:	None

Product:	JMeter - Now in Github
Classification:	Unclassified
Component:	HTTP (show other bugs)
Version:	5.4.3
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	JMETER_5.5
Assignee:	JMeter issues mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-19 10:06 UTC by Neeti
Modified:	2022-01-24 15:38 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Neeti 2022-01-19 10:06:07 UTC

Hi Jmeter team,

We are using Jmeter for our project  . This mail is regarding the security risk because of log4J . We were using Jmeter4.0 (planning to upgraded to JMeter 5.4.3  version) . But according to  release notes still log4J security risk is there in 5.4.3.
                                                                

We need following help from you:
1.	It would be helpful if we can get fix for this issue .
2.	We have found that latest version of JMeter 5.4.3 which have 2.17.0 Log4j Jar 
  
But 2.17 is also having two direct vulnerabilities , Details of both slows that they are vulnerable .

                                                                            

In Maven repository(https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core) , we have 2.17.1 version  which shows no vulnerability , so can you please advice that can we use 2.17.1 jar with apache Jmeter 5.4.3 version . Is that supported if we do it and will resolve the threat of currently log4j.

Comment 1 Felix Schumacher 2022-01-24 15:38:20 UTC


*** This bug has been marked as a duplicate of bug 65748 ***

Comment 2 The ASF infrastructure team 2022-09-24 20:38:23 UTC

This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5618