CVE-2018-1287
First published: Wed Feb 14 2018(Updated: )
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache JMeter | =2.1 | |
| Apache JMeter | =2.2 | |
| Apache JMeter | =2.3 | |
| Apache JMeter | =2.3.1 | |
| Apache JMeter | =2.3.2 | |
| Apache JMeter | =2.3.3 | |
| Apache JMeter | =2.3.3-rc1 | |
| Apache JMeter | =2.3.3-rc2 | |
| Apache JMeter | =2.3.4 | |
| Apache JMeter | =2.3.4-rc1 | |
| Apache JMeter | =2.3.4-rc2 | |
| Apache JMeter | =2.3.4-rc3 | |
| Apache JMeter | =2.4 | |
| Apache JMeter | =2.5 | |
| Apache JMeter | =2.5-rc1 | |
| Apache JMeter | =2.5-rc2 | |
| Apache JMeter | =2.5-rc3 | |
| Apache JMeter | =2.5.1 | |
| Apache JMeter | =2.5.1-rc1 | |
| Apache JMeter | =2.5.1-rc2 | |
| Apache JMeter | =2.5.1-rc3 | |
| Apache JMeter | =2.6 | |
| Apache JMeter | =2.6-rc1 | |
| Apache JMeter | =2.6-rc2 | |
| Apache JMeter | =2.7 | |
| Apache JMeter | =2.7-rc1 | |
| Apache JMeter | =2.7-rc2 | |
| Apache JMeter | =2.7-rc3 | |
| Apache JMeter | =2.8 | |
| Apache JMeter | =2.8-rc1 | |
| Apache JMeter | =2.8-rc2 | |
| Apache JMeter | =2.9 | |
| Apache JMeter | =2.9-rc1 | |
| Apache JMeter | =2.9-rc2 | |
| Apache JMeter | =2.9-rc3 | |
| Apache JMeter | =2.10-rc1 | |
| Apache JMeter | =2.10-rc2 | |
| Apache JMeter | =2.11 | |
| Apache JMeter | =2.11-rc1 | |
| Apache JMeter | =2.11-rc2 | |
| Apache JMeter | =2.12 | |
| Apache JMeter | =2.12-rc1 | |
| Apache JMeter | =2.12-rc2 | |
| Apache JMeter | =2.13 | |
| Apache JMeter | =2.13-rc1 | |
| Apache JMeter | =2.13-rc2 | |
| Apache JMeter | =3.0 | |
| Apache JMeter | =3.0-rc1 | |
| Apache JMeter | =3.0-rc2 | |
| Apache JMeter | =3.0-rc3 | |
| Apache JMeter | =3.0-rc4 | |
| Apache JMeter | =3.0-rc5 | |
| Apache JMeter | =3.1 | |
| Apache JMeter | =3.1-rc1 | |
| Apache JMeter | =3.1-rc2 | |
| Apache JMeter | =3.1-rc3 | |
| Apache JMeter | =3.1-rc4 | |
| Apache JMeter | =3.2 | |
| Apache JMeter | =3.2-rc1 | |
| Apache JMeter | =3.2-rc2 | |
| Apache JMeter | =3.2-rc3 | |
| Apache JMeter | =3.3 | |
| Apache JMeter | =3.3-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/103068
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2018-1287?
The severity of CVE-2018-1287 is classified as critical, with a score of 9.8.
How do I fix CVE-2018-1287?
To fix CVE-2018-1287, upgrade to Apache JMeter version 3.3 or later.
What does CVE-2018-1287 vulnerabilities impact?
CVE-2018-1287 impacts Apache JMeter versions 2.1 to 3.2 when using Distributed Test with RMI.
What kind of attack is possible with CVE-2018-1287?
CVE-2018-1287 could allow an attacker to access JMeterEngine and execute unauthorized code.
How does CVE-2018-1287 exploit the system?
CVE-2018-1287 exploits the system by binding the RMI Registry to a wildcard host.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache jmeter
- version/apache jmeter/2.1
- version/apache jmeter/2.2
- version/apache jmeter/2.3
- version/apache jmeter/2.3.1
- version/apache jmeter/2.3.2
- version/apache jmeter/2.3.3
- version/apache jmeter/2.3.3-rc1
- version/apache jmeter/2.3.3-rc2
- version/apache jmeter/2.3.4
- version/apache jmeter/2.3.4-rc1
- version/apache jmeter/2.3.4-rc2
- version/apache jmeter/2.3.4-rc3
- version/apache jmeter/2.4
- version/apache jmeter/2.5
- version/apache jmeter/2.5-rc1
- version/apache jmeter/2.5-rc2
- version/apache jmeter/2.5-rc3
- version/apache jmeter/2.5.1
- version/apache jmeter/2.5.1-rc1
- version/apache jmeter/2.5.1-rc2
- version/apache jmeter/2.5.1-rc3
- version/apache jmeter/2.6
- version/apache jmeter/2.6-rc1
- version/apache jmeter/2.6-rc2
- version/apache jmeter/2.7
- version/apache jmeter/2.7-rc1
- version/apache jmeter/2.7-rc2
- version/apache jmeter/2.7-rc3
- version/apache jmeter/2.8
- version/apache jmeter/2.8-rc1
- version/apache jmeter/2.8-rc2
- version/apache jmeter/2.9
- version/apache jmeter/2.9-rc1
- version/apache jmeter/2.9-rc2
- version/apache jmeter/2.9-rc3
- version/apache jmeter/2.10-rc1
- version/apache jmeter/2.10-rc2
- version/apache jmeter/2.11
- version/apache jmeter/2.11-rc1
- version/apache jmeter/2.11-rc2
- version/apache jmeter/2.12
- version/apache jmeter/2.12-rc1
- version/apache jmeter/2.12-rc2
- version/apache jmeter/2.13
- version/apache jmeter/2.13-rc1
- version/apache jmeter/2.13-rc2
- version/apache jmeter/3.0
- version/apache jmeter/3.0-rc1
- version/apache jmeter/3.0-rc2
- version/apache jmeter/3.0-rc3
- version/apache jmeter/3.0-rc4
- version/apache jmeter/3.0-rc5
- version/apache jmeter/3.1
- version/apache jmeter/3.1-rc1
- version/apache jmeter/3.1-rc2
- version/apache jmeter/3.1-rc3
- version/apache jmeter/3.1-rc4
- version/apache jmeter/3.2
- version/apache jmeter/3.2-rc1
- version/apache jmeter/3.2-rc2
- version/apache jmeter/3.2-rc3
- version/apache jmeter/3.3
- version/apache jmeter/3.3-rc1