Discover the fix, the workaround and the long term solution
The problem
Last week, the world discovered a major vulnerability in Log4j identified as CVE-2021-44228 and CVE-2021-45046
If you’re using Apache JMeter <= 5.4.1, you should know that it embeds log4j2 2.13.3 which is affected by this CVE.
Log4j vulnerability in JMeter: the fix
the JMeter Team has immediately made the upgrade to log4J2 2.15 on 10th december 21:
https://github.com/apache/jmeter/commit/403842148e82c24e560c365efd8b7290076b0ba5
And even better to log4j2 2.16 on 14th december:
https://github.com/apache/jmeter/commit/bdc610a1df6d5d92e7b8ee2e36f186a45ba0d428
If you want to try nightly build, you can immediately use the new version by downloading it from here:
https://ci.apache.org/projects/jmeter/nightlies/
Update on 16th december 2021:
A new release 5.4.2 has been finalized today. It will be available on 17th december from Apache JMeter website.
Meanwhile it can be downloaded before mirrors are synchronized from:
Update on 17th december 2021:
New release 5.4.2 is available since today from Apache JMeter website:
Update on 19th december 2021:
A new CVE CVE-2021-45105 has been revealed in Log4J2 affecting Log4j2 2.16. This CVE differs from the previous ones as it does not allow Arbitrary Code Execution, it is a Denial Of Service vulnerability.
Besides it does not affect JMeter as the logging Layout Patterns of JMeter do not use “Context Lookups”.
Update on 11th january 2022:
The JMeter team has release version 5.4.3 to embed a new version of log4j2 library fixing CVE-2021-45105
Log4j2 vulnerability in JMeter : mitigation
Option 1 (not enough following CVE-2021-45046): Disable the affected feature of log4j
Add to jmeter startup options:
- -Dlog4j2.formatMsgNoLookups=true
Or add to system.properties:
- log4j2.formatMsgNoLookups=true
Option 2: Upgrade the jars
Avoid to test the nightly build with this very easy solution:
- Firstly, download log4j2 2.16 from here:
https://logging.apache.org/log4j/2.x/download.html
2. Secondly, unzip it and get the following jars:
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
- log4j-slf4j-impl-2.16.0.jar
3. Thirdly, delete from jmeter/lib folder the following jars:
- log4j-1.2-api-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-core-2.13.3.jar
- log4j-slf4j-impl-2.13.3.jar
4. Finally, replace them with the new version jars
You’re done !
The long term solution
Many of those OSS free solutions are frequently developed by people working on their personal time, so if you use their software, you can help them in many ways:
- Say thanks
- Report bugs
- Report security patches
- Contribute:
- to their documentation, their forums
- through personal donations to the developers when they offer this option
- through donations to their foundations
- Sponsor their work
And finally, KUDOS to the Log4J2 Team and JMeter teams which were very reactive fixing the reported issues.
The jmeter-maven-plugin
The JMeter Maven Plugin embeds JMeter and as a consequence is affected by the CVEs, but hopefully there is clean solution to workaround the problem.
Read this blog from a contributor of JMeter-Maven-Plugin.
Learn more on JMeter and UBIK Ingenierie
- https://www.ubik-ingenierie.com/blog/ubik-ingenierie-contributions-to-jmeter-eco-system/
- https://www.ubik-ingenierie.com/blog/easily-manage-jmeter-plugins/
- https://www.ubik-ingenierie.com/blog/reporting-feature-of-apache-jmeter-demo/
About us:
- Ubik Load Pack solutions are used by Big players
- We provide professional services for Load Testing
- Learn more about our plugins
- Get a Free trial
UbikLoadPack solution
Publication
