log4j vulnerability - CVE-2021-44228;

justb4 / docker-jmeter

Docker image for Apache JMeter

MIT License

278 stars 310 forks source link

log4j vulnerability - CVE-2021-44228; #47

Closed exevolium closed 2 years ago

exevolium commented 2 years ago

Hi,

Any changes to the docker image planned for this vulnerability? I saw that version 2.13 is used.

Thanks!

justb4 commented 2 years ago

Just read it in the news. Not using JMeter in our/my projects. Provided the Docker image as result of a past project. If you have a working version upgrade you can provide as PR: very welcome! JMeter is a program mostly used internally, not as external service, I don't see a direct threat but good to upgrade.

justb4 commented 2 years ago

Fixed for now, using the -Dlog4j2.formatMsgNoLookups=true fix. See for example here. But again: JMeter is not a web-service (like Spring above), is not-exposed, so IMO there is no possibility for external attack.