Hello, I don't think the vulnerability related to 2.17.1 is critical for Jmeter like the first one as it concerned only by JDBC logging and only if attacker can change log4j configuration (*Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code*) By default Jmeter does't use JDBC logging.
I don't say that Jmeter should not upgrade this version but for the moment and as this vulnerability is defined it should not be any risk on Jmeter users. Best Regards On Wed, Dec 29, 2021 at 6:01 PM NaveenKumar Namachivayam < [email protected]> wrote: > Hi Team, > > Could you please let me know which JMeter version will have Log4j 2.17.1? > Is it in JMeter 5.4.4 or 5.5? Please advise. > > Thank you > > -- > [image: photo] > NaveenKumar Namachivayam > Performance Engineer, QAInsights > <http://github.com/qainsights> <http://youtube.com/qainsights> > <http://us.linkedin.com/in/naveenkumarn> <http://twitter.com/qainsights> > <http://facebook.com/naveenkumar%5C.namachivayam> > [email protected] > https://qainsights.com > Cincinnati, OH > Latest article What’s new in Apache JMeter 5.4.3? > <https://qainsights.com/apache-jmeter-5-4-3/> > -- Cordialement, ------------- Anas OUFDOU
