This is a security notification for Apache JMeter: CVE-2019-0187 Severity: Important Vendor: The Apache Software Foundation Affected Versions : JMeter 4.0, 5.0
Description [0]: Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so even for those versions, upgrade to JMeter 5.1 is also advised. Mitigation: * Users must use last minor version of Java 8 to Java 11 * Users must upgrade to last JMeter 5.1 version and use the default / enabled authenticated SSL RMI connection. Besides, we remind users that in distributed mode, JMeter makes an Architectural assumption that it is operating on a 'safe' network. i.e. everyone with access to the network is considered trusted. This typically means a dedicated VPN or similar is being used. Example: * Start JMeter server using either jmeter-server or jmeter -s * Using another keystore file, if you're able to connect to first server instance and you don't get "SSLHandshakeException: Received fatal alert: bad_certificate", you are vulnerable Credit: This issue was reported responsibly to the Apache Security Team by Brenden Meeder. - The Apache JMeter Team [0] https://bz.apache.org/bugzilla/show_bug.cgi?id=62743
