Hello, Would you please clarify, how adding the next line to system.properties file (lives in "bin" folder of your JMeter installation), mitigate security risk with log4j2 ?
Thanks, Yevgeniy Grimaylo From: Mariusz W <mawa...@gmail.com> Reply-To: JMeter Users List <user@jmeter.apache.org> Date: Wednesday, December 15, 2021 at 4:09 AM To: JMeter Users List <user@jmeter.apache.org> Subject: Re: Jmeter Log4J I tested it and it works:) -Dlog4j2.formatMsgNoLookups=true Regards, Mariusz On Tue, 14 Dec 2021 at 16:45, Dmitri T <glin...@live.com<mailto:glin...@live.com>> wrote: It should be sufficient to add the next line to system.properties file (lives in "bin" folder of your JMeter installation) log4j2.formatMsgNoLookups=true or pass this property via -D command-line argument like: jmeter -Dlog4j2.formatMsgNoLookups=true -n -t ..... More information: * Constants.java from log4j 2.13.3<https://urldefense.com/v3/__https:/github.com/apache/logging-log4j2/blob/log4j-2.13.3/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Constants.java*L63__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI3_Cm6v8A$> * Configuring JMeter<https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*configuring_jmeter__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI2hUuyepA$> * Apache JMeter Properties Customization Guide<https://urldefense.com/v3/__https:/www.blazemeter.com/blog/apache-jmeter-properties-customization__;!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI12lFankQ$> * Overriding Properties Via The Command Line<https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*override__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI1ZvHFyQw$> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote: Hi Team, With the recent vulnerabilities identified on Apache Log4j on 10th December, I wanted to know if there will be a new version of the Apache JMeter planned with the latest log4j versions. With the organization security policy, there will be a scan on the log4j. We know this will not have any impact with the vulnerability identified, but to provide the InfoSec team, with a confirmation email from the provider will be a added confidence. Thanks in advance. Thanks, and Regards, Smruti Ranjan Roul Technical Lead- QA [cid:image001.jpg@01D7F1B1.430C8B80] First American (India) Private Limited “Aveda Meta”, No.184, Old Madras Road, Opp. Swami Vivekanand Metro Station, Indiranagar, Bangalore-560038, Karnataka, India Mobile : + 91 8880138672 Email : sranjanr...@firstam.com<mailto:sranjanr...@firstam.com> ****************************************************************************************** This message may contain confidential or proprietary information intended only for the use of the addressee(s) named above or may contain information that is legally privileged. If you are not the intended addressee, or the person responsible for delivering it to the intended addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited. If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message and any copies immediately thereafter. If you received this email as a commercial message and would like to opt out of future commercial messages, please let us know and we will remove you from our distribution list. Thank you. ****************************************************************************************** FAFLD
