www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philippe Mouawad <pmoua...@apache.org>
Subject [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used
Date Sat, 02 Mar 2019 17:18:44 GMT
This is a security notification for Apache JMeter:

CVE-2019-0187
Severity: Important
Vendor: The Apache Software Foundation
Affected Versions : JMeter 4.0, 5.0

Description [0]:

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r
or -R command line options).
Attacker can establish a RMI connection to a jmeter-server using
RemoteJMeterEngine and proceed with an attack using untrusted data
deserialization.
This only affect tests running in Distributed mode.
Note that versions before 4.0 are not able to encrypt traffic between the
nodes, nor authenticate the participating nodes so even for those versions,
upgrade to JMeter 5.1 is
also advised.

Mitigation:
  * Users must use last minor version of Java 8 to Java 11
  * Users must upgrade to last JMeter 5.1 version and use the default /
enabled authenticated SSL RMI connection.

Besides, we remind users that in distributed mode, JMeter makes an
Architectural assumption
that it is operating on a 'safe' network. i.e. everyone with access to the
network is considered trusted.

This typically means a dedicated VPN or similar is being used.

Example:
  * Start JMeter server using either jmeter-server or jmeter -s
  * Using another keystore file, if you're able to connect to first server
instance and you don't get "SSLHandshakeException: Received fatal alert:
bad_certificate", you are vulnerable

Credit:
This issue was reported responsibly to the Apache Security Team by Brenden
Meeder.

- The Apache JMeter Team

[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=62743

Mime
View raw message