https://bz.apache.org/bugzilla/show_bug.cgi?id=65808
Bug ID: 65808
Summary: Log4J Security Risk in 5.4.3
Product: JMeter
Version: 5.4.3
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: HTTP
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: JMETER_5.5
Hi Jmeter team,
We are using Jmeter for our project . This mail is regarding the security risk
because of log4J . We were using Jmeter4.0 (planning to upgraded to JMeter
5.4.3 version) . But according to release notes still log4J security risk is
there in 5.4.3.
We need following help from you:
1. It would be helpful if we can get fix for this issue .
2. We have found that latest version of JMeter 5.4.3 which have 2.17.0
Log4j Jar
But 2.17 is also having two direct vulnerabilities , Details of both slows that
they are vulnerable .
In Maven
repository(https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core)
, we have 2.17.1 version which shows no vulnerability , so can you please
advice that can we use 2.17.1 jar with apache Jmeter 5.4.3 version . Is that
supported if we do it and will resolve the threat of currently log4j.
--
You are receiving this mail because:
You are the assignee for the bug.
