Apache JMeter RMI Connection Arbitrary Code Execution Vulnerability



A vulnerability in the distributed mode of Apache JMeter could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to the use of untrusted data deserialization. An attacker could exploit this vulnerability by establishing a Remote Method Invocation (RMI)
connection with a jmeter-server while using the RemotejMeterEngine interface. A successful exploit could allow the attacker to execute arbitrary code on a targeted system.

Apache.org has confirmed this vulnerability and updates are available.

Security Impact Rating: Critical

CVE: CVE-2019-0187

Source:: Cisco Multivendor Vulnerability Alerts