CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used! Mar 2019

Preface: If your company hasn’t been performing load testing, it is hard to know the web application actual performance. Deploying JMeter will display the test results in a graph updated in real time.

Synopsis: Perhaps software developers did not imagine that JMeter design weakness will be hazardous of web server. And therefore we might found Jmeter function still activate after services launch.

Vulnerability detail: Apache JMeter Missing client auth for RMI connection when distributed test is used. And therefore attacker could exploit this vulnerability by establishing a Remote Method Invocation (RMI) connection with a jmeter-server while using the RemotejMeterEngine interface.It such a way let attacker execute arbitrary code on a targeted system.

Remedy: Apache.org has released an update at the following link: https://jmeter.apache.org/download_jmeter.cgi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.