Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn
Home / Keptn v1 Docs / News / Vulnerability Bulletins / Keptn-Vulnerability-2021-001
Keptn-Vulnerability-2021-001
Version 1.0
Revision Information
| Revision | Updated | Reason |
|---|---|---|
| 1.0 | December 22, 2021 | Initial Reason |
Affected
Keptn jmeter-service in version 0.11.3 and older.
Description
Keptn jmeter-service in version 0.11.3 and older includes JMeter with a version below v5.4.2 that is vulnerable to Remote Code Execution due to the embedded Log4j version. More details about the vulnerability of Log4j can be found in CVE-2021-44228 and CVE-2021-45046. With JMeter v5.4.2 the bug is fixed (changelog).
We believe that this issue can be exploited in a Keptn execution plane to some conditions.
Severity
The severity of the vulnerability of jmeter-service is:
Overall CVSS Score: 4.0 and CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:L/MA:L
Note: The calculation of the CVSS is based on a Keptn 0.11 installation.
Recommendations
The release of jmeter-service in version 0.11.4 contains the new JMeter version v5.4.2. We recommend upgrading your Keptn control plane to 0.11.x as soon as possible allowing you to upgrade the jmeter-service to version 0.11.4.
- ⚠️ When running on a Keptn below 0.11, you have to perform a backup of the MongoDB due to a breaking change in 0.11. Please follow this upgrade path with manual MongoDB backup/restore.
- When running on Keptn 0.11.x, please follow this upgrade path.
Workaround
- Ensure the jmeter-service is not accessible from outside the execution plane.
- Protect all branches of your Git repository managed by Keptn; especially for unauthorized file changes of
jmxfiles in thejmeterfolder on the branches.
