CVE-2018-1287

Name of the Vulnerable Software and Affected Versions Apache JMeter versions 2.X through 3.X

Description The issue arises when Apache JMeter is used in Distributed Test mode, which is RMI-based. In this scenario, the jmeter server binds the RMI Registry to a wildcard host, potentially allowing an attacker to access the JMeterEngine and send unauthorized code. This vulnerability is based on the architectural assumption that JMeter is operating on a 'safe' network where all users with access are considered trusted.

Recommendations For Apache JMeter versions 2.X through 3.X, consider restricting access to the RMI Registry to minimize the risk of exploitation, especially when operating in Distributed Test mode. As a temporary workaround, limit the network access to trusted users only, aligning with JMeter's architectural assumption of a 'safe' network.