Log4j issue CVE-2025-68161 in Jmeter 5.6.3

[Securityguy473]

Expected behavior

Hi!
I have noticed that the Log4j version being used in Apache Jmeter 5.6.3 is version 2.22.1
This Log4j version is vulnerable to CVE-2025-68161 (Log4j up to version 2.25.2)
We are using Microsoft Defender in our organization to monitor threats.
I need guidance in how to manage this security issue.
Does Jmeter need to release a new version or can we manually change the Log4j version somehow?
When can we expect a new version of Jmeter?

Actual behavior

Actual file path: C:....\apache-jmeter-5.6.3\lib\log4j-core-2.22.1.jar

Steps to reproduce the problem

JMeter Version

5.6.3

Java Version

Not relevant

OS Version

Windows 11

[FSchumacher]

You can easily replace the affected libraries yourself. Download the current log4j 2.x binaries and replace the four log4j libraries in $JMETER_HOME/lib with the newer ones from the binary download.

The four jars are the following files (plus a shell command to find them):

$ tar tf apache-jmeter-5.6.3.tgz | grep log4j.*jar
apache-jmeter-5.6.3/lib/log4j-1.2-api-2.22.1.jar
apache-jmeter-5.6.3/lib/log4j-slf4j-impl-2.22.1.jar
apache-jmeter-5.6.3/lib/log4j-core-2.22.1.jar
apache-jmeter-5.6.3/lib/log4j-api-2.22.1.jar

Another way to get rid of this problem, would be to try a current nightly build, where those libraries should be replaced already. Feedback on the nightlies is highly welcome.

[Securityguy473]

Thanks for the help @FSchumacher
I have downloaded the binaries for Log4j but I don't understand what files I should look for in the binaries, there are no .jar files. Do I need to do something to pack them as .jar files?
I am not usually handling this kind of thing, so excuse me if i'm missing something obvious here.

[FSchumacher]

I don't know, which of the files referenced on the page you picked, but you should pick the one from the [https://logging.apache.org/log4j/2.x/download.html#binary-distribution](binary distribution). If you chose the source distribution, the jars will be missing and you get a bunch of java files instead. The easiest way to choose is to look for a file like apache-log4j-2.x.y-bin.zip

[Securityguy473]

I don't know, which of the files referenced on the page you picked, but you should pick the one from the [https://logging.apache.org/log4j/2.x/download.html#binary-distribution](binary distribution). If you chose the source distribution, the jars will be missing and you get a bunch of java files instead. The easiest way to choose is to look for a file like apache-log4j-2.x.y-bin.zip

Hi!
I chose the wrong download on the Apache site. (My bad)
When I chose the "Binaries" (as you told me to in the first place) it worked very well. Thanks for all your help :)