CVE-2018-1297
📋 TL;DR
Apache JMeter 2.x and 3.x uses unsecured RMI connections in Distributed Test mode, allowing attackers to access JMeterEngine and execute unauthorized code. This affects users running JMeter in distributed testing configurations with RMI enabled.
💻 Affected Systems
- Apache JMeter
📦 What is this software?
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
Jmeter by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on JMeter servers, allowing complete system compromise and potential lateral movement.
Likely Case
Unauthorized access to JMeter testing infrastructure, manipulation of test results, or denial of service.
If Mitigated
Limited impact if RMI connections are properly secured or disabled, or if network segmentation prevents access.
🎯 Exploit Status
RMI vulnerabilities are well-understood and exploitation tools exist. The vulnerability requires network access to JMeter RMI ports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: JMeter 4.0 and later, or apply security patches to 2.x/3.x
Vendor Advisory: http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
Restart Required: Yes
Instructions:
1. Upgrade to JMeter 4.0 or later. 2. If using 2.x/3.x, apply security patches from Apache. 3. Restart all JMeter instances after patching.
🔧 Temporary Workarounds
Disable RMI in Distributed Testing
allConfigure JMeter to use non-RMI communication or disable distributed testing features.
Set 'server.rmi.ssl.disable=false' and configure SSL for RMI in jmeter.properties
Network Segmentation
linuxRestrict network access to JMeter RMI ports (default 1099, 2010-2019).
iptables -A INPUT -p tcp --dport 1099 -j DROP
iptables -A INPUT -p tcp --dport 2010:2019 -j DROP
🧯 If You Can't Patch
- Disable Distributed Test mode entirely if not required
- Implement strict network ACLs to allow only trusted IPs to access JMeter RMI ports
🔍 How to Verify
Check if Vulnerable:
Check JMeter version and configuration: 1. Run 'jmeter --version' 2. Check jmeter.properties for 'server.rmi.ssl' settings 3. Verify if distributed testing is enabledCheck Version:
jmeter --versionVerify Fix Applied:
1. Confirm JMeter version is 4.0+ or patched 2. Verify RMI SSL is enabled in configuration 3. Test distributed connectivity with SSL requirements📡 Detection & Monitoring
Log Indicators:
- Unauthorized RMI connection attempts in JMeter logs
- Unexpected code execution or test manipulation
Network Indicators:
- Unencrypted RMI traffic on ports 1099, 2010-2019
- RMI connections from untrusted sources
SIEM Query:
source_port IN (1099, 2010-2019) AND protocol="rmi" AND NOT encrypted=true🔗 References
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
- http://mail-archives.apache.org/mod_mbox/www-announce/201802.mbox/%3CCAH9fUpaNzk5am8oFe07RQ-kynCsQv54yB-uYs9bEnz7tbX-O7g%40mail.gmail.com%3E
- https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
- https://lists.apache.org/thread.html/31e0adbeca9d865ff74d0906b2248a41a1457cb54c1afbe5947df58b%40%3Cissues.jmeter.apache.org%3E
