Description
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
Remediation
References
http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
Related Vulnerabilities
CVE-2019-1003058 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher
CVE-2018-11802 Vulnerability in maven package org.apache.solr:solr-core
CVE-2019-16869 Vulnerability in maven package io.netty:netty-codec-http
CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips