I have already posted a detailed article about Log4j vulnerability and how to mitigate it with various performance testing tools. You can also check what’s new in Apache JMeter 5.4.2. In this blog article, we are going to see, if you are not able to update or upgrade to the latest version of JMeter 5.4.2, what would be the alternate way to mitigate the Lo4j exploit.
Updating log4j jars for JMeter 5.4.1
I am assuming the most installed version of JMeter is 5.4.1. For various reasons, if you are not able to update JMeter to 5.4.2, you can update the log4j JARs alone in the
Go to Log4j download site, download the Log4j 2.16 zip file.
Delete all the
Copy the below JAR files; and paste them into the
log4j-1.2-api-2.16.0.jar log4j-api-2.16.0.jar log4j-core-2.16.0.jar log4j-slf4j-impl-2.16.0.jar
If you are using JMeter 3.3 which has the below log4j JARs.
log4j-1.2-api-2.8.2.jar log4j-api-2.8.2.jar log4j-core-2.8.2.jar log4j-slf4j-impl-2.8.2.jar
Log4j CVE-2021-44228 vulnerability exists in all the versions from 2.0-beta9 to 2.14.1.
Log4j CVE-2021-45046 vulnerability exists in all the versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.
JMeter 3.3 uses log4j 2.8.2 which is also vulnerable.
If you are not able to update to JMeter 5.4.2, upgrading to log4j 2.16 might not be backward compatible.
The solution is to remove the JndiLookup class from the class path. The below command helps you to mitigate the risk.
Navigate to the
ll log4j-* as shown below. Observe the size and the date for log4j core file.
To remove the JndiLookup class, enter the below command and hit enter.
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Now, repeat the
ll log4j-* command.
You can see the reduce in the size and the last modified date. JndiLookup class has been removed from the core file.
Only log4j core has been imacted by the vulnerabilities. No need to touch the other log4j files for JMeter.
Other work around which will not work for CVE-2021-45046 is:
//NOT RECOMMENDED -Dlog4j2.formatMsgNoLookups=true //JMeter Startup options log4j2.formatMsgNoLookups=true //system.properties
My recommendation is to update to JMeter 5.4.2 to get the latest fixes, features, bug fixes, performance, and security.
1 thought on “What to do if you cannot upgrade to JMeter 5.4.2 for Log4j Vulnerability?”