CVE-2019-0187

CWE-327 — Broken Cryptographic Algorithm CWE-502 — Deserialization of Untrusted Data6 documents5 sources

Severity

9.8CRITICAL

EPSS

0.6%

top 29.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Jmeter Apache Jmeter

Timeline

PublishedMar 6

Latest updateMar 7

Description

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.jmeter:ApacheJMeter< 5.1

▶NVDapache/jmeter4.0, 5.0+1

▶CVEListV5apache_software_foundation/apache_jmeterApache JMeter 4.0 to 5.0

🔴Vulnerability Details

GHSA

Unauthenticated Remote Code Execution in Apache JMeter↗2019-03-07

▶

OSV

Unauthenticated Remote Code Execution in Apache JMeter↗2019-03-07

▶

CVEList

CVE-2019-0187: Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options)↗2019-03-06

▶

OSV

CVE-2019-0187: Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options)↗2019-03-06

▶

📋Vendor Advisories

Debian

CVE-2019-0187: jakarta-jmeter - Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -...↗2019

▶