JMeter and the Log4j2 vulnerability

The problem

Last week, the world discovered a major vulnerability in Log4j2 identified as CVE-2021-44228.

If you’re using Apache JMeter, you should know that it embeds log4j2 2.13.3 which is affected by this CVE.

The fix

The upgrade to log4J2 2.15 was immediately done by the JMeter Team on 10th december:

https://github.com/apache/jmeter/commit/403842148e82c24e560c365efd8b7290076b0ba5

And even better to log4j2 2.16 on 14th december:

https://github.com/apache/jmeter/commit/bdc610a1df6d5d92e7b8ee2e36f186a45ba0d428

If you want to try nightly build, you can immediately use the new version by downloading it from here:

https://ci.apache.org/projects/jmeter/nightlies/

A new release 5.5 or 6.0 with many great features is about to be done in upcoming days.

The workaround

Option 1: Disable the affected feature of log4j

Add to jmeter startup options:

• -Dlog4j2.formatMsgNoLookups=true

Or add to system.properties:

• log4j2.formatMsgNoLookups=true

Option 2: Upgrade the jars

If you don’t want to test the nightly build, then hopefully, there is a very easy solution:

1. Download log4j2 2.16 from here:

https://logging.apache.org/log4j/2.x/download.html

2. Unzip it and get the following jars:

• log4j-1.2-api-2.16.0.jar
• log4j-api-2.16.0.jar
• log4j-core-2.16.0.jar
• log4j-slf4j-impl-2.16.0.jar

3. Delete from jmeter/lib folder the following jars:

• log4j-1.2-api-2.13.3.jar
• log4j-api-2.13.3.jar
• log4j-core-2.13.3.jar
• log4j-slf4j-impl-2.13.3.jar

4. And replace them with the new version jars

You’re done !

The long term solution

Remember that many of those OSS free solutions are frequently developed by people working on their personal time, so if you use their software, you can help them in many ways:

• Say thanks
• Report bugs
• Report security patches
• Contribute:
  • to their documentation, their forums
  • through personal donations to the developers when they offer this option
  • through donations to their foundations
• Sponsor their work

And finally, KUDOS to the Log4J2 Team and JMeter teams which were very reactive fixing the reported issues.

You’ll also like

• https://www.ubik-ingenierie.com/blog/ubik-ingenierie-contributions-to-jmeter-eco-system/
• https://www.ubik-ingenierie.com/blog/easily-manage-jmeter-plugins/
• https://www.ubik-ingenierie.com/blog/reporting-feature-of-apache-jmeter-demo/

About us:

• Ubik Load Pack  is used by Big players in the Video streaming field
• We provide professional services for Load Testing
• Learn more about our streaming plugin
• Get a Free trial

L’article JMeter and the Log4j2 vulnerability est apparu en premier sur Ubik Ingénierie.