You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by NaveenKumar Namachivayam <ca...@gmail.com> on 2021/12/29 17:01:16 UTC
Log4j 2.17.1 in 5.4.4 or 5.5
Hi Team,
Could you please let me know which JMeter version will have Log4j 2.17.1?
Is it in JMeter 5.4.4 or 5.5? Please advise.
Thank you
--
[image: photo]
NaveenKumar Namachivayam
Performance Engineer, QAInsights
<http://github.com/qainsights> <http://youtube.com/qainsights>
<http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights>
<http://facebook.com/naveenkumar%5C.namachivayam>
naveenkumar@hey.com
https://qainsights.com
Cincinnati, OH
Latest article What’s new in Apache JMeter 5.4.3?
<https://qainsights.com/apache-jmeter-5-4-3/>
Re: Log4j 2.17.1 in 5.4.4 or 5.5
Posted by NaveenKumar Namachivayam <ca...@gmail.com>.
Thanks. I understand the CVE. I just want to know the target release of
JMeter with Log4j 2.17.1.
On Wed, Dec 29, 2021 at 12:29 PM OUFDOU Anas <ou...@gmail.com> wrote:
> Hello,
>
> I don't think the vulnerability related to 2.17.1 is critical for Jmeter
> like the first one as it concerned only by JDBC logging and only if
> attacker can change log4j configuration (*Apache Log4j2 versions 2.0-beta7
> through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are
> vulnerable to a remote code execution (RCE) attack where an attacker with
> permission to modify the logging configuration file can construct a
> malicious configuration using a JDBC Appender with a data source
> referencing a JNDI URI which can execute remote code*) By default Jmeter
> does't use JDBC logging.
>
> I don't say that Jmeter should not upgrade this version but for the moment
> and as this vulnerability is defined it should not be any risk on Jmeter
> users.
>
> Best Regards
>
> On Wed, Dec 29, 2021 at 6:01 PM NaveenKumar Namachivayam <
> catchnaveen.psgtech@gmail.com> wrote:
>
> > Hi Team,
> >
> > Could you please let me know which JMeter version will have Log4j 2.17.1?
> > Is it in JMeter 5.4.4 or 5.5? Please advise.
> >
> > Thank you
> >
> > --
> > [image: photo]
> > NaveenKumar Namachivayam
> > Performance Engineer, QAInsights
> > <http://github.com/qainsights> <http://youtube.com/qainsights>
> > <http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights>
> > <http://facebook.com/naveenkumar%5C.namachivayam>
> > naveenkumar@hey.com
> > https://qainsights.com
> > Cincinnati, OH
> > Latest article What’s new in Apache JMeter 5.4.3?
> > <https://qainsights.com/apache-jmeter-5-4-3/>
> >
>
>
> --
> Cordialement,
> -------------
> Anas OUFDOU
>
--
[image: photo]
NaveenKumar Namachivayam
Performance Engineer, QAInsights
<http://github.com/qainsights> <http://youtube.com/qainsights>
<http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights>
<http://facebook.com/naveenkumar%5C.namachivayam>
naveenkumar@hey.com
https://qainsights.com
Cincinnati, OH
Latest article What’s new in Apache JMeter 5.4.3?
<https://qainsights.com/apache-jmeter-5-4-3/>
Re: Log4j 2.17.1 in 5.4.4 or 5.5
Posted by OUFDOU Anas <ou...@gmail.com>.
Hello,
I don't think the vulnerability related to 2.17.1 is critical for Jmeter
like the first one as it concerned only by JDBC logging and only if
attacker can change log4j configuration (*Apache Log4j2 versions 2.0-beta7
through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are
vulnerable to a remote code execution (RCE) attack where an attacker with
permission to modify the logging configuration file can construct a
malicious configuration using a JDBC Appender with a data source
referencing a JNDI URI which can execute remote code*) By default Jmeter
does't use JDBC logging.
I don't say that Jmeter should not upgrade this version but for the moment
and as this vulnerability is defined it should not be any risk on Jmeter
users.
Best Regards
On Wed, Dec 29, 2021 at 6:01 PM NaveenKumar Namachivayam <
catchnaveen.psgtech@gmail.com> wrote:
> Hi Team,
>
> Could you please let me know which JMeter version will have Log4j 2.17.1?
> Is it in JMeter 5.4.4 or 5.5? Please advise.
>
> Thank you
>
> --
> [image: photo]
> NaveenKumar Namachivayam
> Performance Engineer, QAInsights
> <http://github.com/qainsights> <http://youtube.com/qainsights>
> <http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights>
> <http://facebook.com/naveenkumar%5C.namachivayam>
> naveenkumar@hey.com
> https://qainsights.com
> Cincinnati, OH
> Latest article What’s new in Apache JMeter 5.4.3?
> <https://qainsights.com/apache-jmeter-5-4-3/>
>
--
Cordialement,
-------------
Anas OUFDOU