Important Log4j vulnerability in open source Apache logging library Log4j, sent all IT experts scrambling over the last few days. Known as Log4Shell, the flaw is exposing some of the world’s most popular applications and services to attack. It has been stated that hackers have been exploiting this bug since the beginning of this December 2021.
Since Apache JMeter version 3.2, logging is configured through an Apache Log4j 2 configuration file. Experts from Apache team said that JMeter was also affected by this vulnerability. So if you have a JMeter project that uses a version higher than 3.2, there are some steps that you need to perform to avoid any kind of danger.
In $JMETER_HOME/libexec/lib path, you will see some log4j JAR files that JMeter uses. There are 4 JAR files to replace:
These JAR files could leave your projects and data unprotected against vicious hackers. So we are going to replace these JAR files.
Before deleting these files, make sure that there is no JMeter and its derivative applications/tools running on your system. Then go to this link and download updated Log4j files.
After replacing old JAR files with the new ones, you will have done your part against this security leak.
There are another additional steps that was recommended by Cybersecurity and Infrastructure Security Agency (CISA) as well: enumerating any external facing devices with Log4j installed; ensuring the security operations center actions every alert with Log4j installed; and installing a web application firewall (WAF) with rules to focus on Log4j.
Happy load testing 🙂
Run Your Existing JMeter Tests With Any Parameters From Any Location