As the CVE score for 2.17.0 isn't that severe and the default config from JMeter should not be affected from it, we haven't done another minor release.
You have a few options to mitigate this yourself. a) Replace the log4j2 components with newer ones (2.17.1 for example) b) Use a nightly build, which has current log4j2 versions (along with other security related library updates) For your point 2) I fear you have to give us more details, which mirror server were you using and which artifact did you download? Felix PS. we plan to release a 5.5 version soonish (can't give any real date, sorry) Am 26.01.22 um 17:06 schrieb Jackson, Mike: > > In updating to the latest version, we noticed 2 issues when upgrading > to 5.4.3. > > 1. The change_history Printable doc is showing the update only to > 2.16 as they are referencing version 5.4.2 > 2. The server mirror is using an old version of log4j – 2.11.1 > > > > We were also wondering when the latest version from gitlab will be > available as a source/binary download as that appears to include log4j > 2.17.1 versus the current 2.17.0 which has other vulnerabilities > although not as severe. > > > > > > Charter-Spectrum * > Mike Jackson | SST Residential Back End API Tester * > > *6360 South Fiddler’s Green Circle | Greenwood Village, CO 80111* > > The contents of this e-mail message and > any attachments are intended solely for the > addressee(s) and may contain confidential > and/or legally privileged information. If you > are not the intended recipient of this message > or if this message has been addressed to you > in error, please immediately alert the sender > by reply e-mail and then delete this message > and any attachments. If you are not the > intended recipient, you are notified that > any use, dissemination, distribution, copying, > or storage of this message or any attachment > is strictly prohibited.
OpenPGP_signature
Description: OpenPGP digital signature