DEV Community

Cover image for JMeter 5.4.1 fix for Security CVE-2021-44228 issue
Boga Sebastian Nicolae
Boga Sebastian Nicolae

Posted on

JMeter 5.4.1 fix for Security CVE-2021-44228 issue

In case you installed on Windows, JMeter 5.4.1 from the Github repo: install-jmeter-windows, by now you should know that you are impacted by Security issue CVE-2021-44228 because JMeter is a JAVA application

Here you can find an automatic tool that will fix your vulnerability by downloading the log4j version 2.16

STEPS:

  1. STOP JMeter GUI

  2. download Release v01 from here: https://github.com/sebiboga/jmeter-fix-cve-2021-44228-windows/releases/tag/v01

  3. unzip the Release

  4. double click on cve-2021-44228.bat

In case you didn't installed JMeter in C:\JMeter\apache-jmeter-5.4.1, you'll have to:

  • EDIT the bat file and on row 2, update your location where JMeter is installed;
  • then update all copy commands with correct destination folder

Here is the batch file:

@echo off
cd C:\JMeter\apache-jmeter-5.4.1\lib
del log4j*.*
md C:\JMeter\cve-2021-4428

powershell -command "Invoke-WebRequest   -Uri 'https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip' -OutFile 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip'"
powershell -command "Expand-Archive -Force 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip' 'C:\JMeter\cve-2021-4428'"
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-1.2-api-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-api-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-slf4j-impl-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
Enter fullscreen mode Exit fullscreen mode

Have a nice day!

Discussion (6)

Collapse
moldocristi profile image
moldocristi

These changes must be done to all JMeter versions installed on your machine?

Collapse
sebiboga profile image
Boga Sebastian Nicolae Author • Edited on

yes. you can CHANGE row 2 / and the destination folder for copy commands in the script and re-run for older version from your machine.
thank you

Collapse
moldocristi profile image
moldocristi

Thank you!
The release folder can be deleted after the installation.

Collapse
sebiboga profile image
Boga Sebastian Nicolae Author

yes. the zip file with release v01 and unzipped folder can be deleted after the script finished.

Collapse
dorinoana profile image
DorinOana

Thank you Sebi,
you can delete the folder after the script finished

Collapse
sebiboga profile image
Boga Sebastian Nicolae Author

indeed;
folder C:\JMeter\cve-2021-4428 can be deleted after the script finish
thank you @dorinoana