[MAVEN:GHSA-WG37-7MRV-CFWM] Unauthenticated Remote Code Execution in Apache JMeter

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

Package	Affected Version
pkg:maven/org.apache.jmeter/ApacheJMeter	< 5.1

Package	Fixed Version
pkg:maven/org.apache.jmeter/ApacheJMeter	= 5.1

ID: MAVEN:GHSA-WG37-7MRV-CFWM
Severity: critical
URL: https://github.com/advisories/GHSA-wg37-7mrv-cfwm
Published: 2019-03-07T18:47:57
(5 years ago)
Modified: 2023-01-09T05:04:19
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-0187
			https://github.com/advisories/GHSA-wg37-7mrv-cfwm
			http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E
			http://www.securityfocus.com/bid/107219

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.jmeter/ApacheJMeter	org.apache.jmeter	ApacheJMeter	< 5.1
Fixed	pkg:maven/org.apache.jmeter/ApacheJMeter	org.apache.jmeter	ApacheJMeter	= 5.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date