In case you installed on Windows, JMeter 5.4.1 from the Github repo: install-jmeter-windows, by now you should know that you are impacted by Security issue CVE-2021-44228 because JMeter is a JAVA application
Here you can find an automatic tool that will fix your vulnerability by downloading the log4j version 2.16
STEPS:
STOP JMeter GUI
download Release v01 from here: https://github.com/sebiboga/jmeter-fix-cve-2021-44228-windows/releases/tag/v01
unzip the Release
double click on cve-2021-44228.bat
In case you didn't installed JMeter in C:\JMeter\apache-jmeter-5.4.1, you'll have to:
- EDIT the bat file and on row 2, update your location where JMeter is installed;
- then update all copy commands with correct destination folder
Here is the batch file:
@echo off
cd C:\JMeter\apache-jmeter-5.4.1\lib
del log4j*.*
md C:\JMeter\cve-2021-4428
powershell -command "Invoke-WebRequest -Uri 'https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip' -OutFile 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip'"
powershell -command "Expand-Archive -Force 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip' 'C:\JMeter\cve-2021-4428'"
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-1.2-api-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-api-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-slf4j-impl-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
Have a nice day!
Top comments (6)
These changes must be done to all JMeter versions installed on your machine?
yes. you can CHANGE row 2 / and the destination folder for copy commands in the script and re-run for older version from your machine.
thank you
Thank you!
The release folder can be deleted after the installation.
yes. the zip file with release v01 and unzipped folder can be deleted after the script finished.
Thank you Sebi,
you can delete the folder after the script finished
indeed;
folder C:\JMeter\cve-2021-4428 can be deleted after the script finish
thank you @dorinoana