{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/opentelemetry-java-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenTelemetry Java agent"],"_cs_severities":["critical"],"_cs_tags":["rce","opentelemetry","deserialization"],"_cs_type":"advisory","_cs_vendors":["OpenTelemetry"],"content_html":"\u003cp\u003eOpenTelemetry is an observability framework providing APIs, SDKs, and tools for collecting telemetry data from applications. A critical vulnerability, CVE-2026-33701, affects OpenTelemetry Java agent versions prior to 2.26.1. The vulnerability stems from the RMI instrumentation registering a custom endpoint that deserializes incoming data without proper serialization filters. This exposes a potential remote code execution (RCE) risk. Successful exploitation requires the OpenTelemetry Java agent to be attached as a Java agent (\u003ccode\u003e-javaagent\u003c/code\u003e), a network-reachable RMI endpoint (e.g., JMX, RMI registry), and the presence of a gadget-chain-compatible library on the classpath. This vulnerability was responsibly disclosed in coordination with Datadog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target JVM running a vulnerable version of the OpenTelemetry Java agent (prior to 2.26.1).\u003c/li\u003e\n\u003cli\u003eThe attacker confirms that the target JVM has a network-reachable RMI endpoint (e.g., JMX remote port).\u003c/li\u003e\n\u003cli\u003eThe attacker ensures a gadget-chain-compatible library (e.g., those used in typical Java deserialization attacks) is present on the target's classpath.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized Java object (payload) designed to execute arbitrary code when deserialized. This payload leverages a known gadget chain within the available libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious serialized object to the vulnerable RMI endpoint exposed by the OpenTelemetry Java agent's RMI instrumentation.\u003c/li\u003e\n\u003cli\u003eThe OpenTelemetry Java agent deserializes the object without proper validation, triggering the gadget chain.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary code within the context of the JVM process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining full control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33701 allows for arbitrary remote code execution with the privileges of the user running the instrumented JVM. This could lead to complete system compromise, data theft, or denial of service. Given the widespread use of OpenTelemetry for monitoring, a successful attack could have significant implications for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenTelemetry Java agent version 2.26.1 or later to remediate CVE-2026-33701.\u003c/li\u003e\n\u003cli\u003eApply the provided workaround by setting the system property \u003ccode\u003e-Dotel.instrumentation.rmi.enabled=false\u003c/code\u003e to disable the vulnerable RMI integration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-opentelemetry-rmi-rce/","summary":"A remote code execution vulnerability exists in OpenTelemetry Java agent versions prior to 2.26.1 due to unsafe deserialization in the RMI instrumentation, potentially allowing attackers with network access to execute arbitrary code on vulnerable systems.","title":"OpenTelemetry RMI Instrumentation Unsafe Deserialization RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-opentelemetry-rmi-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenTelemetry Java Agent","version":"https://jsonfeed.org/version/1.1"}