Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn

Keptn-Vulnerability-2021-001

Version 1.0

Revision Information

Revision Updated Reason
1.0 December 22, 2021 Initial Reason

Affected

Keptn jmeter-service in version 0.11.3 and older.

Description

Keptn jmeter-service in version 0.11.3 and older includes JMeter with a version below v5.4.2 that is vulnerable to Remote Code Execution due to the embedded Log4j version. More details about the vulnerability of Log4j can be found in CVE-2021-44228 and CVE-2021-45046. With JMeter v5.4.2 the bug is fixed (changelog).

We believe that this issue can be exploited in a Keptn execution plane to some conditions.

Severity

The severity of the vulnerability of jmeter-service is:

Overall CVSS Score: 4.0 and CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:L/MA:L

Note: The calculation of the CVSS is based on a Keptn 0.11 installation.

Recommendations

The release of jmeter-service in version 0.11.4 contains the new JMeter version v5.4.2. We recommend upgrading your Keptn control plane to 0.11.x as soon as possible allowing you to upgrade the jmeter-service to version 0.11.4.

Workaround

  • Ensure the jmeter-service is not accessible from outside the execution plane.
  • Protect all branches of your Git repository managed by Keptn; especially for unauthorized file changes of jmx files in the jmeter folder on the branches.