JMeter and the Log4j vulnerability

on 14 December 2021 JMETER and Tags: , , , , , , , , with 0 comments
Log4j vulnerability JMeter

Discover the fix, the workaround and the long term solution

The problem

Last week, the world discovered a major vulnerability in Log4j identified as CVE-2021-44228 and CVE-2021-45046

If you’re using Apache JMeter <= 5.4.1, you should know that it embeds log4j2 2.13.3 which is affected by this CVE.

Log4j vulnerability in JMeter: the fix

the JMeter Team has immediately made the upgrade to log4J2 2.15 on 10th december 21:

And even better to log4j2 2.16 on 14th december:

If you want to try nightly build, you can immediately use the new version by downloading it from here:

Update on 16th december 2021:

A new release 5.4.2 has been finalized today. It will be available on 17th december from Apache JMeter website.

Meanwhile it can be downloaded before mirrors are synchronized from:

Update on 17th december 2021:

New release 5.4.2 is available since today from Apache JMeter website:

Update on 19th december 2021:

A new CVE CVE-2021-45105 has been revealed in Log4J2 affecting Log4j2 2.16. This CVE differs from the previous ones as it does not allow Arbitrary Code Execution, it is a Denial Of Service vulnerability.

Besides it does not affect JMeter as the logging Layout Patterns of JMeter do not use “Context Lookups”.

Update on 11th january 2022:

The JMeter team has release version 5.4.3 to embed a new version of log4j2 library fixing CVE-2021-45105

Log4j2 vulnerability in JMeter : mitigation

Option 1 (not enough following CVE-2021-45046): Disable the affected feature of log4j

Add to jmeter startup options:

  • -Dlog4j2.formatMsgNoLookups=true

Or add to

  • log4j2.formatMsgNoLookups=true

Option 2: Upgrade the jars

Avoid to test the nightly build with this very easy solution:

  1. Firstly, download log4j2 2.16 from here:

2. Secondly, unzip it and get the following jars:

  • log4j-1.2-api-2.16.0.jar
  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar
  • log4j-slf4j-impl-2.16.0.jar

3. Thirdly, delete from jmeter/lib folder the following jars:

  • log4j-1.2-api-2.13.3.jar
  • log4j-api-2.13.3.jar
  • log4j-core-2.13.3.jar
  • log4j-slf4j-impl-2.13.3.jar

4. Finally, replace them with the new version jars

You’re done !

The long term solution

Many of those OSS free solutions are frequently developed by people working on their personal time, so if you use their software, you can help them in many ways:

  • Say thanks
  • Report bugs
  • Report security patches
  • Contribute:
    • to their documentation, their forums
    • through personal donations to the developers when they offer this option
    • through donations to their foundations
  • Sponsor their work

And finally, KUDOS to the Log4J2 Team and JMeter teams which were very reactive fixing the reported issues.

The jmeter-maven-plugin

The JMeter Maven Plugin embeds JMeter and as a consequence is affected by the CVEs, but hopefully there is clean solution to workaround the problem.

Read this blog from a contributor of JMeter-Maven-Plugin.

Learn more on JMeter and UBIK Ingenierie

About us: