The Apache JMeter team has released its next minor version of JMeter 5.4.3 for the Log4j security vulnerability CVE-2021-45105. In my last few articles, I have posted about Log4j Vulnerability – Important Note to Performance Engineers, What’s new in Apache JMeter 5.4.2?, and What to do if you cannot upgrade to JMeter 5.4.2 for Log4j Vulnerability?. Let us see what’s new in Apache JMeter 5.4.3.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
Apache JMeter 5.4.3
As this minor patch addresses CVE-2021-45105, it doesn’t have any new and noteworthy section. There are no other bug fixes, enhancements, samplers, etc.
JMeter 5.4.3 has bumped up versions of log4j from 2.16.0 to 2.17.0.
To download the latest version of JMeter, head to https://jmeter.apache.org/download_jmeter.cgi
Click any one of the apache-jmeter-5.4.3 flavor to download.
After download the file, verify the integrity using the sha512 checksum.
JMeter Release process
There are multiple steps involved in releasing the newer version. Since this is a security fix, the votes are solicited for 24 hrs and closed.
It is recommended to update your JMeter to 5.4.3. Suppose, if you are not able to upgrade, there are workarounds mentioned in this article.