In my last blog, I listed various options to mitigate the CVE-2021-44228 vulnerability. Please note that Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints. Today, Apache JMeter team has released the emergency minor version of JMeter 5.4.2 which includes Log4j 2.16 jars. Let us know briefly about this release.
What's new in Apache JMeter 5.4.2?
Typically, every release of JMeter will have a new and noteworthy section and numerous bug fixes and enhancements, and sampler updates. Since this is an emergency release, JMeter community focussed on Log4j 2.16 jars patch.
There is no new or noteworthy in this minor release.
Only non-functional changes, which include Log4j 2.16 updates from Log4j 2.13.3.
You can download the latest version from here.
Please validate the SHA512 checksum to verify the integrity.
Typically, for any release, the community will wait for the votes for at least 72 hours. Since this is an emergency release, the team has released the minor version swiftly.
It is highly recommended downloading the latest version of JMeter 5.4.2. Also, please update your docker images, Kubernetes deployment YAML, CI/CD script etc. to mitigate the risk.
Please let me know if you face any issues in JMeter 5.4.2.