Vulnerabilites related to Apache Software Foundation - Apache JMeter
CVE-2018-1297 (GCVE-0-2018-1297)
Vulnerability from cvelistv5
Published
2018-02-13 12:00
Modified
2024-09-17 03:37
Severity ?
CWE
  • Unauthorized code access
Summary
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:59:37.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[www-announce] 20180211 CVE-2018-1297: Apache JMeter uses an unsecure RMI connection in Distributed mode",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=62039"
          },
          {
            "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JMeter",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.x"
            },
            {
              "status": "affected",
              "version": "3.x"
            }
          ]
        }
      ],
      "datePublic": "2018-02-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unauthorized code access",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-09T10:06:03",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[www-announce] 20180211 CVE-2018-1297: Apache JMeter uses an unsecure RMI connection in Distributed mode",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=62039"
        },
        {
          "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-02-11T00:00:00",
          "ID": "CVE-2018-1297",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JMeter",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.x"
                          },
                          {
                            "version_value": "3.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unauthorized code access"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[www-announce] 20180211 CVE-2018-1297: Apache JMeter uses an unsecure RMI connection in Distributed mode",
              "refsource": "MLIST",
              "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E"
            },
            {
              "name": "https://bz.apache.org/bugzilla/show_bug.cgi?id=62039",
              "refsource": "CONFIRM",
              "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=62039"
            },
            {
              "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-1297",
    "datePublished": "2018-02-13T12:00:00Z",
    "dateReserved": "2017-12-07T00:00:00",
    "dateUpdated": "2024-09-17T03:37:56.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-0187 (GCVE-0-2019-0187)
Vulnerability from cvelistv5
Published
2019-03-06 17:00
Modified
2024-09-16 17:53
Severity ?
CWE
  • Unauthenticated RCE
Summary
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
Impacted products
Vendor Product Version
Apache Software Foundation Apache JMeter Version: Apache JMeter 4.0 to 5.0
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:44:14.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "107219",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107219"
          },
          {
            "name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JMeter",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache JMeter 4.0 to 5.0"
            }
          ]
        }
      ],
      "datePublic": "2019-03-02T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unauthenticated RCE",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-07T10:57:01",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "107219",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107219"
        },
        {
          "name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2019-03-02T00:00:00",
          "ID": "CVE-2019-0187",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JMeter",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache JMeter 4.0 to 5.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unauthenticated RCE"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "107219",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107219"
            },
            {
              "name": "[jmeter-user] 20190302 [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used",
              "refsource": "MLIST",
              "url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-0187",
    "datePublished": "2019-03-06T17:00:00Z",
    "dateReserved": "2018-11-14T00:00:00",
    "dateUpdated": "2024-09-16T17:53:55.501Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-1287 (GCVE-0-2018-1287)
Vulnerability from cvelistv5
Published
2018-02-14 14:00
Modified
2024-09-17 03:02
Severity ?
CWE
  • Unauthorized code execution
Summary
In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:59:37.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "103068",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103068"
          },
          {
            "name": "[www-announce] 20180211 CVE-2018-1287: Apache JMeter binds RMI server to wildcard in distributed mode (based on RMI)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E"
          },
          {
            "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JMeter",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.x"
            },
            {
              "status": "affected",
              "version": "3.x"
            }
          ]
        }
      ],
      "datePublic": "2018-02-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unauthorized code execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-09T10:06:03",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "103068",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103068"
        },
        {
          "name": "[www-announce] 20180211 CVE-2018-1287: Apache JMeter binds RMI server to wildcard in distributed mode (based on RMI)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E"
        },
        {
          "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-02-11T00:00:00",
          "ID": "CVE-2018-1287",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JMeter",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.x"
                          },
                          {
                            "version_value": "3.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unauthorized code execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "103068",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103068"
            },
            {
              "name": "[www-announce] 20180211 CVE-2018-1287: Apache JMeter binds RMI server to wildcard in distributed mode (based on RMI)",
              "refsource": "MLIST",
              "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E"
            },
            {
              "name": "[jmeter-issues] 20190609 [Bug 62039] [CVE-2018-1287 \u0026 CVE-2018-1297] Distributed testing : Secure RMI connection by SSL and certificate and bind to host defined \"java.rmi.server.hostname\" system property",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b@%3Cissues.jmeter.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-1287",
    "datePublished": "2018-02-14T14:00:00Z",
    "dateReserved": "2017-12-07T00:00:00",
    "dateUpdated": "2024-09-17T03:02:25.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}