CVE-2019-0187

Name of the Vulnerable Software and Affected Versions: Apache JMeter versions prior to 5.1

Description: The issue allows for unauthenticated remote code execution when JMeter is used in distributed mode. An attacker can establish a connection to a jmeter-server and proceed with an attack using untrusted data deserialization. This issue only affects tests running in distributed mode. It is also noted that versions before 4.0 lack the ability to encrypt traffic between nodes and authenticate participating nodes.

Recommendations: For versions prior to 5.1, upgrade to JMeter 5.1 to resolve the issue. As a temporary workaround, consider restricting the use of distributed mode until the upgrade is applied. Additionally, restricting access to the RemoteJMeterEngine can help minimize the risk of exploitation.