CVE-2019-0187
First published: Sat Mar 02 2019(Updated: )
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache JMeter | =4.0 | |
| Apache JMeter | =5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-0187?
CVE-2019-0187 is classified as a critical severity vulnerability due to its potential for unauthenticated remote code execution.
How do I fix CVE-2019-0187?
To fix CVE-2019-0187, it is recommended to upgrade Apache JMeter to version 5.1 or later.
Who is affected by CVE-2019-0187?
CVE-2019-0187 affects users of Apache JMeter versions 4.0 and 5.0 when running in distributed mode.
What type of attack can CVE-2019-0187 facilitate?
CVE-2019-0187 can facilitate an unauthenticated remote code execution attack using untrusted data deserialization.
Is authentication required to exploit CVE-2019-0187?
No, CVE-2019-0187 allows for exploitation without authentication, making it particularly dangerous.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- vendor/apache
- canonical/apache jmeter
- version/apache jmeter/4.0
- version/apache jmeter/5.0