Closed Jothivs closed 2 years ago
Hi algattik,
Current "JMeter Tool Installer" task installs latest Apache JMeter version 5.4.1 from the url "https://archive.apache.org/dist/jmeter/binaries/..". But, this package has older versions of Apache log4j jar (2.13.3), which has security vulnerability. This vulnerability has been resolved in the latest version of log4j from 2.15.0. Please refer: https://www.kaspersky.com.au/blog/log4shell-critical-vulnerability-in-apache-log4j/30102/
Jars affected: log4j-1.2-api-2.13.3.jar, log4j-api-2.13.3.jar, log4j-core-2.13.3.jar, log4j-slf4j-impl-2.13.3.jar
Just wondering, on downloading & installing latest version of Apache JMeter using this same extension in azure pipeline, how to make sure the latest version of the libs like log4j, etc.. gets downloaded as well. Can you please provide your thoughts?
Updated extension (version 0.1.7) to install JMeter 5.4.2 by default. Thanks for reporting.
Hi algattik,
Current "JMeter Tool Installer" task installs latest Apache JMeter version 5.4.1 from the url "https://archive.apache.org/dist/jmeter/binaries/..". But, this package has older versions of Apache log4j jar (2.13.3), which has security vulnerability. This vulnerability has been resolved in the latest version of log4j from 2.15.0. Please refer: https://www.kaspersky.com.au/blog/log4shell-critical-vulnerability-in-apache-log4j/30102/
Jars affected: log4j-1.2-api-2.13.3.jar, log4j-api-2.13.3.jar, log4j-core-2.13.3.jar, log4j-slf4j-impl-2.13.3.jar
Just wondering, on downloading & installing latest version of Apache JMeter using this same extension in azure pipeline, how to make sure the latest version of the libs like log4j, etc.. gets downloaded as well. Can you please provide your thoughts?