Miggo Logo
Miggo Vulnerability Database
CVE-2018-1297

CVE-2018-1297:
Missing certificate validation in Apache JMeter

9.8

CVSS Score

Basic Information

CVE ID
CVE-2018-1297
GHSA ID
GHSA-7v85-6hv2-rwgw
EPSS Score
-
CWE
CWE-319
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.jmeter:ApacheJMetermaven< 4.04.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure RMI implementation in Apache JMeter versions <4.0. The patch (Bug 62039) introduced SSL socket factories (SSLRMIClientSocketFactory/SSLRMIServerSocketFactory) and keystore management. The vulnerable functions are those responsible for RMI server/client initialization without these security measures. RemoteJMeterEngineImpl.start handles server-side RMI setup without SSL, ClientJMeterEngine handles insecure client connections, and RmiUtils.createRegistry creates an insecure registry. These functions directly implement the unsecured RMI communication described in CVE-2018-1297 and CWE-319.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* *istri*ut** T*st only (RMI **s**), *p**** JM*t*r *.x *n* *.x us*s *n uns**ur** RMI *onn**tion. T*is *oul* *llow *n *tt**k*r to **t ****ss to JM*t*r*n*in* *n* s*n* un*ut*oriz** *o**.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* RMI impl*m*nt*tion in *p**** JM*t*r v*rsions <*.*. T** p*t** (*u* *****) intro*u*** SSL so*k*t ***tori*s (SSLRMI*li*ntSo*k*t***tory/SSLRMIS*rv*rSo*k*t***tory) *n* k*ystor* m*n***m*nt. T** vuln*r**l* *un*tions *r*