When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Weakness
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jmeter | Apache | 2.1 (including) | 2.1 (including) |
| Jmeter | Apache | 2.2 (including) | 2.2 (including) |
| Jmeter | Apache | 2.3 (including) | 2.3 (including) |
| Jmeter | Apache | 2.3.1 (including) | 2.3.1 (including) |
| Jmeter | Apache | 2.3.2 (including) | 2.3.2 (including) |
| Jmeter | Apache | 2.3.3 (including) | 2.3.3 (including) |
| Jmeter | Apache | 2.3.3-rc1 (including) | 2.3.3-rc1 (including) |
| Jmeter | Apache | 2.3.3-rc2 (including) | 2.3.3-rc2 (including) |
| Jmeter | Apache | 2.3.4 (including) | 2.3.4 (including) |
| Jmeter | Apache | 2.3.4-rc1 (including) | 2.3.4-rc1 (including) |
| Jmeter | Apache | 2.3.4-rc2 (including) | 2.3.4-rc2 (including) |
| Jmeter | Apache | 2.3.4-rc3 (including) | 2.3.4-rc3 (including) |
| Jmeter | Apache | 2.4 (including) | 2.4 (including) |
| Jmeter | Apache | 2.5 (including) | 2.5 (including) |
| Jmeter | Apache | 2.5-rc1 (including) | 2.5-rc1 (including) |
| Jmeter | Apache | 2.5-rc2 (including) | 2.5-rc2 (including) |
| Jmeter | Apache | 2.5-rc3 (including) | 2.5-rc3 (including) |
| Jmeter | Apache | 2.5.1 (including) | 2.5.1 (including) |
| Jmeter | Apache | 2.5.1-rc1 (including) | 2.5.1-rc1 (including) |
| Jmeter | Apache | 2.5.1-rc2 (including) | 2.5.1-rc2 (including) |
| Jmeter | Apache | 2.5.1-rc3 (including) | 2.5.1-rc3 (including) |
| Jmeter | Apache | 2.6 (including) | 2.6 (including) |
| Jmeter | Apache | 2.6-rc1 (including) | 2.6-rc1 (including) |
| Jmeter | Apache | 2.6-rc2 (including) | 2.6-rc2 (including) |
| Jmeter | Apache | 2.7 (including) | 2.7 (including) |
| Jmeter | Apache | 2.7-rc1 (including) | 2.7-rc1 (including) |
| Jmeter | Apache | 2.7-rc2 (including) | 2.7-rc2 (including) |
| Jmeter | Apache | 2.7-rc3 (including) | 2.7-rc3 (including) |
| Jmeter | Apache | 2.8 (including) | 2.8 (including) |
| Jmeter | Apache | 2.8-rc1 (including) | 2.8-rc1 (including) |
| Jmeter | Apache | 2.8-rc2 (including) | 2.8-rc2 (including) |
| Jmeter | Apache | 2.9 (including) | 2.9 (including) |
| Jmeter | Apache | 2.9-rc1 (including) | 2.9-rc1 (including) |
| Jmeter | Apache | 2.9-rc2 (including) | 2.9-rc2 (including) |
| Jmeter | Apache | 2.9-rc3 (including) | 2.9-rc3 (including) |
| Jmeter | Apache | 2.10-rc1 (including) | 2.10-rc1 (including) |
| Jmeter | Apache | 2.10-rc2 (including) | 2.10-rc2 (including) |
| Jmeter | Apache | 2.11 (including) | 2.11 (including) |
| Jmeter | Apache | 2.11-rc1 (including) | 2.11-rc1 (including) |
| Jmeter | Apache | 2.11-rc2 (including) | 2.11-rc2 (including) |
| Jmeter | Apache | 2.12 (including) | 2.12 (including) |
| Jmeter | Apache | 2.12-rc1 (including) | 2.12-rc1 (including) |
| Jmeter | Apache | 2.12-rc2 (including) | 2.12-rc2 (including) |
| Jmeter | Apache | 2.13 (including) | 2.13 (including) |
| Jmeter | Apache | 2.13-rc1 (including) | 2.13-rc1 (including) |
| Jmeter | Apache | 2.13-rc2 (including) | 2.13-rc2 (including) |
| Jmeter | Apache | 3.0 (including) | 3.0 (including) |
| Jmeter | Apache | 3.0-rc1 (including) | 3.0-rc1 (including) |
| Jmeter | Apache | 3.0-rc2 (including) | 3.0-rc2 (including) |
| Jmeter | Apache | 3.0-rc3 (including) | 3.0-rc3 (including) |
| Jmeter | Apache | 3.0-rc4 (including) | 3.0-rc4 (including) |
| Jmeter | Apache | 3.0-rc5 (including) | 3.0-rc5 (including) |
| Jmeter | Apache | 3.1 (including) | 3.1 (including) |
| Jmeter | Apache | 3.1-rc1 (including) | 3.1-rc1 (including) |
| Jmeter | Apache | 3.1-rc2 (including) | 3.1-rc2 (including) |
| Jmeter | Apache | 3.1-rc3 (including) | 3.1-rc3 (including) |
| Jmeter | Apache | 3.1-rc4 (including) | 3.1-rc4 (including) |
| Jmeter | Apache | 3.2 (including) | 3.2 (including) |
| Jmeter | Apache | 3.2-rc1 (including) | 3.2-rc1 (including) |
| Jmeter | Apache | 3.2-rc2 (including) | 3.2-rc2 (including) |
| Jmeter | Apache | 3.2-rc3 (including) | 3.2-rc3 (including) |
| Jmeter | Apache | 3.3 (including) | 3.3 (including) |
| Jmeter | Apache | 3.3-rc1 (including) | 3.3-rc1 (including) |
| Jakarta-jmeter | Ubuntu | artful | * |
| Jakarta-jmeter | Ubuntu | bionic | * |
| Jakarta-jmeter | Ubuntu | cosmic | * |
| Jakarta-jmeter | Ubuntu | disco | * |
| Jakarta-jmeter | Ubuntu | eoan | * |
| Jakarta-jmeter | Ubuntu | focal | * |
| Jakarta-jmeter | Ubuntu | groovy | * |
| Jakarta-jmeter | Ubuntu | hirsute | * |
| Jakarta-jmeter | Ubuntu | impish | * |
| Jakarta-jmeter | Ubuntu | kinetic | * |
| Jakarta-jmeter | Ubuntu | lunar | * |
| Jakarta-jmeter | Ubuntu | mantic | * |
| Jakarta-jmeter | Ubuntu | oracular | * |
| Jakarta-jmeter | Ubuntu | plucky | * |
| Jakarta-jmeter | Ubuntu | trusty | * |
| Jakarta-jmeter | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/102.html
- https://cwe.mitre.org/data/definitions/117.html
- https://cwe.mitre.org/data/definitions/383.html
- https://cwe.mitre.org/data/definitions/477.html
- https://cwe.mitre.org/data/definitions/65.html
References
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E