Vulnerabilities > CVE-2019-0187 - Deserialization of Untrusted Data vulnerability in Apache Jmeter 4.0/5.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
| NASL family | Windows |
| NASL id | APACHE_JMETER_5_1.NASL |
| description | One or more versions of Apache JMeter discovered on the remote host is affected by an unauthenticated remote code execution vulnerability which is possible when JMeter is used in distributed mode. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 122718 |
| published | 2019-03-08 |
| reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/122718 |
| title | Apache JMeter < 5.1 Unauthenticated Remote Code Execution Vulnerability |