OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation Upgrade to version 2.26.1 or later. ### Workarounds Set the following system property to disable the RMI integration: ``` -Dotel.instrumentation.rmi.enabled=false ``` ### Credits This vulnerability was responsibly disclosed in coordination with Datadog.