What's new in Apache JMeter 5.4.3?

The Apache JMeter team has released its next minor version of JMeter 5.4.3 for the Log4j security vulnerability CVE-2021-45105. In my last few articles, I have posted about Log4j Vulnerability Important Note to Performance Engineers, Whats new in Apache JMeter 5.4.2?, and What to do if you cannot upgrade to JMeter 5.4.2 for Log4j Vulnerability?. Let us see what's new in Apache JMeter 5.4.3.

About CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

Apache JMeter 5.4.3

As this minor patch addresses CVE-2021-45105, it doesn't have any new and noteworthy section. There are no other bug fixes, enhancements, samplers, etc.

JMeter 5.4.3 has bumped up versions of log4j from 2.16.0 to 2.17.0.

To download the latest version of JMeter, head to https://jmeter.apache.org/download_jmeter.cgi

Click any one of the apache-jmeter-5.4.3 flavor to download.

After download the file, verify the integrity using the sha512 checksum.

What's new in Apache JMeter 5.4.3?

JMeter Release process

There are multiple steps involved in releasing the newer version. Since this is a security fix, the votes are solicited for 24 hrs and closed.

JMeter 5.4.3 votes

Conclusion

It is recommended to update your JMeter to 5.4.3. Suppose, if you are not able to upgrade, there are workarounds mentioned in this article.