Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt+n4fegibDoAxK5XARw@mail.gmail.com>
Date: Sat, 2 Mar 2019 18:18:44 +0100
From: Philippe Mouawad <pmouawad@...che.org>
To: ApacheJMeter dev list <dev@...ter.apache.org>, JMeter Users List <user@...ter.apache.org>, announce@...che.org, 
	asf-security <security@...che.org>, oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI
 connection when distributed test is used

This is a security notification for Apache JMeter:

CVE-2019-0187
Severity: Important
Vendor: The Apache Software Foundation
Affected Versions : JMeter 4.0, 5.0

Description [0]:

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r
or -R command line options).
Attacker can establish a RMI connection to a jmeter-server using
RemoteJMeterEngine and proceed with an attack using untrusted data
deserialization.
This only affect tests running in Distributed mode.
Note that versions before 4.0 are not able to encrypt traffic between the
nodes, nor authenticate the participating nodes so even for those versions,
upgrade to JMeter 5.1 is
also advised.

Mitigation:
  * Users must use last minor version of Java 8 to Java 11
  * Users must upgrade to last JMeter 5.1 version and use the default /
enabled authenticated SSL RMI connection.

Besides, we remind users that in distributed mode, JMeter makes an
Architectural assumption
that it is operating on a 'safe' network. i.e. everyone with access to the
network is considered trusted.

This typically means a dedicated VPN or similar is being used.

Example:
  * Start JMeter server using either jmeter-server or jmeter -s
  * Using another keystore file, if you're able to connect to first server
instance and you don't get "SSLHandshakeException: Received fatal alert:
bad_certificate", you are vulnerable

Credit:
This issue was reported responsibly to the Apache Security Team by Brenden
Meeder.

- The Apache JMeter Team

[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=62743

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.