|1.0||December 22, 2021||Initial Reason|
Keptn jmeter-service in version 0.11.3 and older.
Keptn jmeter-service in version 0.11.3 and older includes JMeter with a version below v5.4.2 that is vulnerable to Remote Code Execution due to the embedded Log4j version. More details about the vulnerability of Log4j can be found in CVE-2021-44228 and CVE-2021-45046. With JMeter v5.4.2 the bug is fixed (changelog).
We believe that this issue can be exploited in a Keptn execution plane to some conditions.
The severity of the vulnerability of jmeter-service is:
Overall CVSS Score: 4.0 and CVSS v3.1 Vector:
Note: The calculation of the CVSS is based on a Keptn 0.11 installation.
The release of jmeter-service in version 0.11.4 contains the new JMeter version v5.4.2. We recommend upgrading your Keptn control plane to 0.11.x as soon as possible allowing you to upgrade the jmeter-service to version 0.11.4.
jmxfiles in the
jmeterfolder on the branches.