CVE-2018-1287 — Missing certificate validation in Apache JMeter

Description

In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based), jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

How to fix CVE-2018-1287

To remediate CVE-2018-1287, upgrade the affected package to a fixed version below.

Debian/jakarta-jmeter—no fix listed
—upgrade to 4.0 or later

Is CVE-2018-1287 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1287
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-1287
PATCHgithub.com/apache/jmeter
WEBmail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpYsFx1%2Brwz1A%3Dmc7wAgbDHARyj1VrWNg41y9OySuL1mqw%40mail.gmail.com%3E