Fixing Security Issue- Apache Commons Text CVE-2022–42889 on JMeter

Critical security issue NVD — cve-2022–42889 has been reported against commons-text-1.9.jar library which is included in JMeter lib folder.

JMeter 5.5 and 5.4.3 versions comes with the impacted library. Security issue has already reported and fixed on JMeter side apache/jmeter#5726 and apache/jmeter#571. But JMeter is yet to do a new release with the fixes.

Untill JMeter latest release comes,

— -

you can replace the the commons-text-1.9.jar on JMeter lib folder from the commons-text-1.10.0.jar as a solution. commons-text-1.10.0.jar can be downloaded from the https://downloads.apache.org/commons/text/binaries/

— -

if you are using JMeter maven plugin, you can add following lines under JMeter maven plugin configuraiton section on your pom.xml file.

<testPlanLibraries>
    <artifact>org.apache.commons:commons-text:1.10.0</artifact>
</testPlanLibraries>
<excludedArtifacts>
    <exclusion>org.apache.commons:commons-text:1.9</exclusion>
</excludedArtifacts>

— -

If using docke rimage,replace the jar and build thedocker image with below docker file

Copy the downloaded jar file to jars folder and build the docker image

FROM ExistingImage Name
LABEL maintainer="xxxxxxx"

WORKDIR $JMETER_HOME

RUN rm -rf lib/commons-text-1.9.jar
COPY jars/* lib/