[SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used
This is a security notification for Apache JMeter:
Vendor: The Apache Software Foundation
Affected Versions : JMeter 4.0, 5.0
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r
or -R command line options).
Attacker can establish a RMI connection to a jmeter-server using
RemoteJMeterEngine and proceed with an attack using untrusted data
This only affect tests running in Distributed mode.
Note that versions before 4.0 are not able to encrypt traffic between the
nodes, nor authenticate the participating nodes so even for those versions,
upgrade to JMeter 5.1 is
* Users must use last minor version of Java 8 to Java 11
* Users must upgrade to last JMeter 5.1 version and use the default /
enabled authenticated SSL RMI connection.
Besides, we remind users that in distributed mode, JMeter makes an
that it is operating on a 'safe' network. i.e. everyone with access to the
network is considered trusted.
This typically means a dedicated VPN or similar is being used.
* Start JMeter server using either jmeter-server or jmeter -s
* Using another keystore file, if you're able to connect to first server
instance and you don't get "SSLHandshakeException: Received fatal alert:
bad_certificate", you are vulnerable
This issue was reported responsibly to the Apache Security Team by Brenden