You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
uPortal-start build.gradle references JMeter plugin net.foragerr.jmeter' version '1.1.0-4.0. As part of Gradle's caching process, this plugin loads log4j-core-2.17.0.jar and log4j-api-2.17.0.jar. Both of these jars are vulnerable to the log4j exploit.
To Reproduce
Steps to reproduce the behavior:
Run ./gradlew tasks
Go to ~/.gradle/caches`
run find . -name log4j-*.*
Both log4j jars will be listed.
Expected behavior
These jars are only used during gradle JMeter tasks, so there is no production risk. However, both of these jars are present on the server and may be flagged if you run monitoring software.
Platform:
uPortal Version: 5.0
OS:all
Browser all
Additional context
JMeter may be obsolete, so this plugin may be able to be deleted.
JMeter can be commented out of the code by commenting out the plugin in the Plugins block and commenting out the jmeter block in the build.gradle.
It is necessary to at least delete the two jars from the .gradle/caches folder once JMeter is either disabled or deleted. You can delete the entire .gradle/caches folder, and the next gradle task will rebuild it.
The text was updated successfully, but these errors were encountered:
Describe the bug
uPortal-start build.gradle references JMeter plugin net.foragerr.jmeter' version '1.1.0-4.0. As part of Gradle's caching process, this plugin loads log4j-core-2.17.0.jar and log4j-api-2.17.0.jar. Both of these jars are vulnerable to the log4j exploit.
To Reproduce
Steps to reproduce the behavior:
./gradlew tasksfind . -name log4j-*.*Expected behavior
These jars are only used during gradle JMeter tasks, so there is no production risk. However, both of these jars are present on the server and may be flagged if you run monitoring software.
Platform:
Additional context
JMeter may be obsolete, so this plugin may be able to be deleted.
JMeter can be commented out of the code by commenting out the plugin in the Plugins block and commenting out the jmeter block in the build.gradle.
It is necessary to at least delete the two jars from the .gradle/caches folder once JMeter is either disabled or deleted. You can delete the entire .gradle/caches folder, and the next gradle task will rebuild it.
The text was updated successfully, but these errors were encountered: