Source: jakarta-jmeter X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for jakarta-jmeter. CVE-2018-1287[0]: | In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI | based), jmeter server binds RMI Registry to wildcard host. This could | allow an attacker to get Access to JMeterEngine and send unauthorized | code. https://www.openwall.com/lists/oss-security/2018/02/11/2 https://bz.apache.org/bugzilla/show_bug.cgi?id=62039 CVE-2019-0187[1]: | Unauthenticated RCE is possible when JMeter is used in distributed | mode (-r or -R command line options). Attacker can establish a RMI | connection to a jmeter-server using RemoteJMeterEngine and proceed | with an attack using untrusted data deserialization. This only affect | tests running in Distributed mode. Note that versions before 4.0 are | not able to encrypt traffic between the nodes, nor authenticate the | participating nodes so upgrade to JMeter 5.1 is also advised. https://bz.apache.org/bugzilla/show_bug.cgi?id=62743 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1287 [1] https://security-tracker.debian.org/tracker/CVE-2019-0187 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0187 Please adjust the affected versions in the BTS as needed.
