Описание
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
- OpenTelemetry Java instrumentation is attached as a Java agent (
-javaagent) - An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)
- A gadget-chain-compatible library is present on the classpath
Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Recommendation
Upgrade to version 2.26.1 or later.
Workarounds
Set the following system property to disable the RMI integration:
Credits
This vulnerability was responsibly disclosed in coordination with Datadog.
Ссылки
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7
- https://nvd.nist.gov/vuln/detail/CVE-2026-33701
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
- https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1
Пакеты
io.opentelemetry.javaagent:opentelemetry-javaagent
< 2.26.1
2.26.1