JMeter 5.4.1 fix for Security CVE-2021-44228 issue

#jmeter #cve202144228 #security

In case you installed on Windows, JMeter 5.4.1 from the Github repo: install-jmeter-windows, by now you should know that you are impacted by Security issue CVE-2021-44228 because JMeter is a JAVA application

Here you can find an automatic tool that will fix your vulnerability by downloading the log4j version 2.16

STEPS:

STOP JMeter GUI

download Release v01 from here: https://github.com/sebiboga/jmeter-fix-cve-2021-44228-windows/releases/tag/v01

unzip the Release

double click on cve-2021-44228.bat

In case you didn't installed JMeter in C:\JMeter\apache-jmeter-5.4.1, you'll have to:

EDIT the bat file and on row 2, update your location where JMeter is installed;
then update all copy commands with correct destination folder

Here is the batch file:

@echo off
cd C:\JMeter\apache-jmeter-5.4.1\lib
del log4j*.*
md C:\JMeter\cve-2021-4428

powershell -command "Invoke-WebRequest   -Uri 'https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip' -OutFile 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip'"
powershell -command "Expand-Archive -Force 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip' 'C:\JMeter\cve-2021-4428'"
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-1.2-api-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-api-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-slf4j-impl-2.16.0.jar  C:\JMeter\apache-jmeter-5.4.1\lib\*.*

Have a nice day!