In case you installed on Windows, JMeter 5.4.1 from the Github repo: install-jmeter-windows, by now you should know that you are impacted by Security issue CVE-2021-44228 because JMeter is a JAVA application
Here you can find an automatic tool that will fix your vulnerability by downloading the log4j version 2.16
STEPS:
STOP JMeter GUI
download Release v01 from here: https://github.com/sebiboga/jmeter-fix-cve-2021-44228-windows/releases/tag/v01
unzip the Release
double click on cve-2021-44228.bat
In case you didn't installed JMeter in C:\JMeter\apache-jmeter-5.4.1, you'll have to:
- EDIT the bat file and on row 2, update your location where JMeter is installed;
- then update all copy commands with correct destination folder
Here is the batch file:
@echo off
cd C:\JMeter\apache-jmeter-5.4.1\lib
del log4j*.*
md C:\JMeter\cve-2021-4428
powershell -command "Invoke-WebRequest -Uri 'https://dlcdn.apache.org/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip' -OutFile 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip'"
powershell -command "Expand-Archive -Force 'C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin.zip' 'C:\JMeter\cve-2021-4428'"
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-1.2-api-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-api-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-core-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
copy C:\JMeter\cve-2021-4428\apache-log4j-2.16.0-bin\log4j-slf4j-impl-2.16.0.jar C:\JMeter\apache-jmeter-5.4.1\lib\*.*
Have a nice day!