CVE-2018-1287: Apache JMeter binds RMI server to wildcard in distributed mode (based on RMI)

CVE-2018-1287: Apache JMeter binds RMI server to wildcard in distributed mode (based on RMI)

Jmeter, Apache, This, Distributed, Server, Users, The, Only, Last, Java, Access, Must, Mode, Using, Start, Listens, Used, Example, Either, Vpn, Trusted, Considered

Severity: ImportantVendor: The Apache Software FoundationVersions Affected: JMeter 2.X, 3.XDescription:When using Distri


Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: JMeter 2.X, 3.X
Description:
When using Distributed Test only (RMI based), jmeter server binds RMI
Registry to wildcard host.
This could allow an attacker to get Access to JMeterEngine and send
unauthorized code.
This only affect tests running in Distributed mode.
Mitigation:
* Users must use last version of Java 8 or Java 9
* Users must upgrade to last JMeter 4.0 version
Besides, we remind users that in distributed mode, JMeter makes an
Architectural assumption
that it is operating on a 'safe' network. i.e. everyone with access to the
network is considered trusted.
This typically means a dedicated VPN or similar is being used.
Example:
* Start JMeter server using either jmeter-server or jmeter -s
* If JMeter listens on *:1099, you are vulnerable
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by Brenden Meeder.
- Philippe Mouawad
on behalf of the Apache JMeter PMC
[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=62039

Zdroj: Apache

2018-02-11 09:59:35 5334 1441Facebook | Twitter | Google+ | LinkedIn
Web PHP developer Milan Jankovec

<Milan Jankovec> Full Stack Web Developer

Vytváram webové stránky a aplikácie na mieru. Čistý a validný HTML5 kód na každej platforme, moderné animované CSS3 štýly a neuveriteľné JavaScript kúzla. Bezpečný a rýchly PHP kód bez obmedzení s geniálnou architektúrou databáz.

Najčítanejšie články

What's New in MySQL 5.6 Release Candidate

The MySQL 5.6 Release Candidate is an aggregation of the previous MySQL 5.6 Development Milestone Releases (DMR) and provides a true functio... čítať viac

MySQL 5.6: Improvements in Thread Pool

MySQL Thread Pool has now been updated for the MySQL 5.6 version. Obviously, with the much higher concurrency of the MySQL Server in 5.6 its... čítať viac

DBA and Developer Guide to MySQL 5.6

MySQL is the most trusted and depended-on open source database platform in use today. As such, 9 out of the top 10 most popular and highly-t... čítať viac

MySQL Applier for Hadoop

To support the growing emphasis on real-time operations, MySQL is releasing a new MySQL Applier for Hadoop to enable the replication of even... čítať viac

MySQL Cluster 7.3 GA: Increasing Developer Flexibility and Simplicity

The MySQL team at Oracle are excited to announce the immediate availability of the MySQL Cluster 7.3 Development Milestone Release GA releas... čítať viac

MySQL Cluster Auto-Installer: Video Tutorial

Learn how easy it is to deploy a MySQL Cluster database that has been configured to best meet your applications needs within your environmen... čítať viac

MySQL Replication Utilities: Video Tutorial

Learn how to use MySQL 5.6 and the MySQL Utilities to setup, monitor and manage your MySQL replication topology. See how a single command ca... čítať viac

MySQL 5.6 Replication - Enabling the Next Generation of Web & Cloud Services

The new MySQL 5.6.5 Development Milestone Release (DMR) introduces a much anticipated feature - Global Transaction Identifiers (GTIDs) for M... čítať viac

Dnešný výber

Ubuntu - Canonical and CPLANE partner to simplify cloud management

Recently announced, Canonical and CPLANE will now offer a distributed cloud orchestration and software-defined networkin... čítať viac

PrestaShop security release

In light of a security issue we have been made aware of, today we are releasing several options to secure a store for ou... čítať viac

Apache Commons NET 3.6 released

The Apache Commons team are pleased to announce the release ofCommons Net version 3.6.This is a bug fix release. All use... čítať viac

Integration SLogin - EasySocial (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Integration SLogin - EasySocial (Joomla). Plugin integration SLogin - Easy... čítať viac

Two CSS Drafts published: Grid Layout Module Level 1, Generated Content for Paged Media Module

The Cascading Style Sheets (CSS) Working Group has published two Working Drafts today: CSS Grid Layout Module Level 1. This CSS module defin... čítať viac

JFontAwesome for Joomla (Joomla)

Joomla extension JFontAwesome for Joomla (Joomla). Add Font Awesome 5 to your Site. A plugin to integrate FontAwesome 5 as a system plugin f... čítať viac

[SECURITY] CVE-2018-1304 Security constraints mapped to context root are ignored

CVE-2018-1304 Security constraints mapped to context root are ignoredSeverity: HighVendor: The Apache Software Foundatio... čítať viac

Canonical Kernel Livepatch Service now available for Ubuntu 14.04 LTS!

We are pleased to announce that we have extended our Canonical Kernel Livepatch Service to users running Ubuntu 14.04 LT... čítať viac