v3.4.2

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+
+## [3.4.2] - 2025-09-09
+
+### Fixed
+
+- Fixed Dockerfile to remove locust from excluded plugins installation list.
+
+### Security
+
+- Update Flask-Cors from 4.0.2 to 6.0.0 to fix [CVE-2024-6221](https://nvd.nist.gov/vuln/detail/CVE-2024-6221), [CVE-2024-6839](https://nvd.nist.gov/vuln/detail/CVE-2024-6839), [CVE-2024-6844](https://nvd.nist.gov/vuln/detail/CVE-2024-6844), [CVE-2024-6866](https://nvd.nist.gov/vuln/detail/CVE-2024-6866)
+- Update setuptools to 80.9.0 to fix [CVE-2025-47273](https://nvd.nist.gov/vuln/detail/CVE-2025-47273) and [CVE-2024-6345](https://nvd.nist.gov/vuln/detail/CVE-2024-6345)
+- Update pip to 25.2 to fix [CVE-2023-5752](https://nvd.nist.gov/vuln/detail/CVE-2023-5752)
+- Update Jetty HTTP/2 to fix [CVE-2025-5115](https://nvd.nist.gov/vuln/detail/CVE-2025-5115)
+
+
 ## [3.4.1] - 2025-08-11
 
 ### Security

VERSION.txt

@@ -1 +1 @@
-3.4.1
+3.4.2

deployment/ecr/distributed-load-testing-on-aws-load-tester/Dockerfile

@@ -6,15 +6,17 @@ RUN dnf upgrade -y && \
 
 ENV PIP_INSTALL="pip3.11 install --no-cache-dir"
 
-
-# install bzt
-RUN $PIP_INSTALL --upgrade bzt awscli setuptools==78.1.1 h11 urllib3==2.2.2 && \
-    $PIP_INSTALL --upgrade bzt
+# install bzt and upgrade pip/setuptools, then remove vulnerable system packages
+RUN $PIP_INSTALL --upgrade pip==25.2 setuptools==80.9.0 && \
+    $PIP_INSTALL --upgrade bzt awscli h11 urllib3==2.5.0 && \
+    $PIP_INSTALL --upgrade Flask-Cors==6.0.1 && \
+    dnf remove -y python3.11-setuptools python3.11-pip && \
+    dnf clean all
 COPY ./.bzt-rc /root/.bzt-rc
 RUN chmod 755 /root/.bzt-rc
 
 # install bzt tools
-RUN bzt -install-tools -o modules.install-checker.exclude=selenium,gatling,tsung,siege,ab,k6,external-results-loader,locust,junit,testng,rspec,mocha,nunit,xunit,wdio,robot,newman
+RUN bzt -install-tools -o modules.install-checker.exclude=selenium,gatling,tsung,siege,ab,k6,external-results-loader,junit,testng,rspec,mocha,nunit,xunit,wdio,robot,newman
 RUN rm -rf /root/.bzt/selenium-taurus
 RUN mkdir /bzt-configs /tmp/artifacts
 ADD ./load-test.sh /bzt-configs/

deployment/ecr/distributed-load-testing-on-aws-load-tester/jar_updater.py

@@ -22,7 +22,14 @@
     * tika-core v1.28.3 will be replaced with v1.28.4
     * json-path v2.7.0 will be replaced with v2.9.0
     * dnsjava v2.1.9 will be replaced with v3.6.1
-Also jmeter plugins manager will be updated to v1.10 to address CVEs and cmdrunner will be updated to v2.3 to accomodate with plugins manager.
+    * xstream will be replaced with v1.4.21
+    * http2-hpack will be replaced with v11.0.16
+    * jetty-http will be replaced with v12.0.12
+    * http2-common will be replaced with v11.0.26
+    * kotlin-stdlib will be replaced with v2.1.0
+    * commons-lang3 will be replaced with v3.18.0
+    * commons-lang v2.5 - no fix available for CVE-2025-48924
+Also jmeter plugins manager will be updated to v1.11 to address CVEs and cmdrunner will be updated to v2.3 to accomodate with plugins manager.
 """
 
 # these jars should be replaced with newer version in order to fix some vulnerabilities
@@ -42,8 +49,10 @@
     "xstream":"com/thoughtworks/xstream/xstream/1.4.21/xstream-1.4.21.jar",
     "http2-hpack": "org/eclipse/jetty/http2/http2-hpack/11.0.16/http2-hpack-11.0.16.jar",
     "jetty-http": "org/eclipse/jetty/jetty-http/12.0.12/jetty-http-12.0.12.jar",
-    "http2-common": "org/eclipse/jetty/http2/http2-common/11.0.20/http2-common-11.0.20.jar",
+    "http2-common": "org/eclipse/jetty/http2/http2-common/11.0.26/http2-common-11.0.26.jar",
     "kotlin-stdlib": "org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar",
+    "commons-lang3": "org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar",
+
 }
 JMETER_VERSION = "5.6.3"
 JMETER_PLUGINS_MANAGER_VERSION = "1.11"

source/api-services/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api-services",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "REST API micro services",
   "repository": {
     "type": "git",

source/console/package.json

@@ -1,6 +1,6 @@
 {
   "name": "distributed-load-testing-on-aws-ui",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "private": true,
   "license": "Apache-2.0",
   "author": {

source/custom-resource/package.json

@@ -1,6 +1,6 @@
 {
   "name": "custom-resource",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "cfn custom resources for distributed load testing on AWS workflow",
   "repository": {
     "type": "git",

source/infrastructure/cdk.json

@@ -4,7 +4,7 @@
     "@aws-cdk/core:stackRelativeExports": false,
     "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
     "solutionId": "SO0062",
-    "solutionVersion": "custom-v3.4.1",
+    "solutionVersion": "custom-v3.4.2",
     "solutionName": "distributed-load-testing-on-aws"
   }
 }

source/infrastructure/package.json

@@ -1,6 +1,6 @@
 {
   "name": "distributed-load-testing-on-aws-infrastructure",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "author": {
     "name": "Amazon Web Services",
     "url": "https://aws.amazon.com/solutions"

source/metrics-utils/lib/solutions-metrics.ts

@@ -126,7 +126,7 @@ export class SolutionsMetrics extends Construct {
     const metricIdentifier = this.extractQueryFields(queryDefinitionProps.queryString);
     // Duplicate metric names would cause it to be impossible to determine which metric refers to which initial resource
     metricIdentifier.forEach((metricIdentifier) => {
-      if (metricIdentifier && !metricIdentifier.match(/^[a-zA-Z0-9_]*$/)) {
+      if (metricIdentifier && !metricIdentifier.match(/^\w*$/)) {
         throw new Error(`Identifier: ${metricIdentifier} must contain only alphanumeric characters and underscores`);
       }
       if (this.existingMetricIdentifiers.has(metricIdentifier)) {

source/metrics-utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "metrics-utils",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "main": "index.ts",
   "license": "Apache-2.0",
   "description": "Distributed Load Testing on AWS Ops Metrics",

source/package.json

@@ -1,6 +1,6 @@
 {
   "name": "source",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "private": true,
   "description": "ESLint and prettier dependencies to be used within the solution",
   "license": "Apache-2.0",

source/real-time-data-publisher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "real-time-data-publisher",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "Publishes real time test data to an IoT endpoint",
   "repository": {
     "type": "git",

source/results-parser/package.json

@@ -1,6 +1,6 @@
 {
   "name": "results-parser",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "result parser for indexing xml test results to DynamoDB",
   "repository": {
     "type": "git",

source/solution-utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "solution-utils",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "Utilities package for Distributed Load Testing on AWS",
   "license": "Apache-2.0",
   "author": {

source/task-canceler/package.json

@@ -1,6 +1,6 @@
 {
   "name": "task-canceler",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "Triggered by api-services lambda function, cancels ecs tasks",
   "repository": {
     "type": "git",