Description

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

Remediation

References

http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E

https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E

Related Vulnerabilities

CVE-2019-1003069 Vulnerability in maven package org.jenkins-ci.plugins:aqua-security-scanner

CVE-2022-3143 Vulnerability in maven package org.wildfly.security:wildfly-elytron-realm-ldap

CVE-2016-2402 Vulnerability in maven package com.squareup.okhttp3:okhttp

CVE-2021-27905 Vulnerability in maven package org.apache.solr:solr-core

CVE-2022-1415 Vulnerability in maven package org.drools:drools-core

Severity

Critical

Classification

CWE-319 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Issue Tracking