Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Mar 2019 18:18:44 +0100
From: Philippe Mouawad <>
To: ApacheJMeter dev list <>, JMeter Users List <>,, 
	asf-security <>,
Subject: [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI
 connection when distributed test is used

This is a security notification for Apache JMeter:

Severity: Important
Vendor: The Apache Software Foundation
Affected Versions : JMeter 4.0, 5.0

Description [0]:

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r
or -R command line options).
Attacker can establish a RMI connection to a jmeter-server using
RemoteJMeterEngine and proceed with an attack using untrusted data
This only affect tests running in Distributed mode.
Note that versions before 4.0 are not able to encrypt traffic between the
nodes, nor authenticate the participating nodes so even for those versions,
upgrade to JMeter 5.1 is
also advised.

  * Users must use last minor version of Java 8 to Java 11
  * Users must upgrade to last JMeter 5.1 version and use the default /
enabled authenticated SSL RMI connection.

Besides, we remind users that in distributed mode, JMeter makes an
Architectural assumption
that it is operating on a 'safe' network. i.e. everyone with access to the
network is considered trusted.

This typically means a dedicated VPN or similar is being used.

  * Start JMeter server using either jmeter-server or jmeter -s
  * Using another keystore file, if you're able to connect to first server
instance and you don't get "SSLHandshakeException: Received fatal alert:
bad_certificate", you are vulnerable

This issue was reported responsibly to the Apache Security Team by Brenden

- The Apache JMeter Team


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.