What to do if you cannot upgrade to JMeter 5.4.2 for Log4j Vulnerability?

I have already posted a detailed article about Log4j vulnerability and how to mitigate it with various performance testing tools. You can also check what’s new in Apache JMeter 5.4.2. In this blog article, we are going to see, if you are not able to update or upgrade to the latest version of JMeter 5.4.2, what would be the alternate way to mitigate the Lo4j exploit.

Option #1

Updating log4j jars for JMeter 5.4.1

I am assuming the most installed version of JMeter is 5.4.1. For various reasons, if you are not able to update JMeter to 5.4.2, you can update the log4j JARs alone in the lib folder.

Go to Log4j download site, download the Log4j 2.16 zip file.

Extract it.

Go to JMETER_HOME\lib.

Delete all the log4j-* files.

Copy the below JAR files; and paste them into the lib folder.

log4j-1.2-api-2.16.0.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar

Option #2

JMeter 3.3

If you are using JMeter 3.3 which has the below log4j JARs.

log4j-1.2-api-2.8.2.jar
log4j-api-2.8.2.jar
log4j-core-2.8.2.jar
log4j-slf4j-impl-2.8.2.jar

Log4j CVE-2021-44228 vulnerability exists in all the versions from 2.0-beta9 to 2.14.1.

Log4j CVE-2021-45046 vulnerability exists in all the versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.

JMeter 3.3 uses log4j 2.8.2 which is also vulnerable.

If you are not able to update to JMeter 5.4.2, upgrading to log4j 2.16 might not be backward compatible.

The solution is to remove the JndiLookup class from the class path. The below command helps you to mitigate the risk.

Navigate to the lib folder.

Type ll log4j-* as shown below. Observe the size and the date for log4j core file.

Log4j JNDI LookUp
Log4j JNDI LookUp

To remove the JndiLookup class, enter the below command and hit enter.

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Now, repeat the ll log4j-* command.

Log4j JNDI LookUp - After Removing the class
Log4j JNDI LookUp – After Removing the class

You can see the reduce in the size and the last modified date. JndiLookup class has been removed from the core file.

Only log4j core has been imacted by the vulnerabilities. No need to touch the other log4j files for JMeter.

Other work around which will not work for CVE-2021-45046 is:

//NOT RECOMMENDED

-Dlog4j2.formatMsgNoLookups=true //JMeter Startup options


log4j2.formatMsgNoLookups=true //system.properties

Recommended Solution

My recommendation is to update to JMeter 5.4.2 to get the latest fixes, features, bug fixes, performance, and security.

About the Author

1 thought on “What to do if you cannot upgrade to JMeter 5.4.2 for Log4j Vulnerability?”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hamster - Launch JMeter Recent Test Plans SwiftlyDownload for free
+
Share via
Copy link