<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dd-Trace-Java - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/dd-trace-java/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/dd-trace-java/feed.xml" rel="self" type="application/rss+xml"/><item><title>dd-trace-java RMI Deserialization Remote Code Execution Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-dd-trace-java-rce/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-dd-trace-java-rce/</guid><description>A remote code execution vulnerability exists in dd-trace-java versions prior to 1.60.3 due to unsafe deserialization in the RMI instrumentation, potentially allowing attackers with network access to a JMX or RMI port to execute arbitrary code on affected systems.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in the dd-trace-java library, specifically within its RMI instrumentation. Versions prior to 1.60.3 are susceptible to unsafe deserialization of incoming data on a custom RMI endpoint, potentially leading to remote code execution. This vulnerability affects applications using dd-trace-java as a Java agent on Java 16 or earlier. The exploitability hinges on three conditions: the agent being attached, a JMX/RMI port being explicitly configured and network-reachable, and the presence of a gadget-chain-compatible library on the classpath. This vulnerability, responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program, poses a significant threat to applications instrumented with vulnerable versions of dd-trace-java. Successful exploitation grants the attacker the privileges of the user running the instrumented JVM.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a target system running dd-trace-java as a Java agent on JDK 16 or earlier, with a JMX/RMI port exposed.</li>
<li>The attacker probes the exposed JMX/RMI port (typically configured via <code>-Dcom.sun.management.jmxremote.port</code>).</li>
<li>The attacker crafts a malicious serialized payload using a gadget-chain-compatible library present on the target's classpath.</li>
<li>The attacker sends the malicious serialized payload to the vulnerable RMI endpoint registered by dd-trace-java.</li>
<li>The vulnerable RMI instrumentation in dd-trace-java deserializes the incoming data without proper validation or serialization filters.</li>
<li>The deserialization process triggers the gadget chain within the malicious payload.</li>
<li>The gadget chain executes arbitrary code on the target system, granting the attacker control.</li>
<li>The attacker gains remote code execution with the privileges of the user running the instrumented JVM.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows for arbitrary remote code execution with the privileges of the user running the instrumented JVM. This could lead to complete system compromise, data theft, denial of service, or further lateral movement within the network. The scope of impact depends on the exposure of JMX/RMI ports and the prevalence of vulnerable dd-trace-java versions within an organization's infrastructure. This vulnerability can affect any application instrumented by dd-trace-java on JDK 16 or earlier where the aforementioned conditions are met.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>For JDK &gt;= 8u121 &lt; JDK 17: Upgrade to dd-trace-java version 1.60.3 or later to patch the vulnerability.</li>
<li>For JDK &lt; 8u121 and earlier where serialization filters are not available: Set the environment variable <code>DD_INTEGRATION_RMI_ENABLED=false</code> to disable the RMI integration as a workaround.</li>
<li>Identify all systems running dd-trace-java versions prior to 1.60.3 to prioritize patching or applying the workaround.</li>
<li>Monitor network connections to JMX/RMI ports (typically TCP ports) for suspicious activity.</li>
<li>Deploy the Sigma rule &quot;Detect dd-trace-java RMI Deserialization Attempt&quot; to detect attempts to exploit this vulnerability by identifying suspicious serialized objects in network traffic to JMX/RMI ports.</li>
<li>Consider implementing network segmentation to limit access to JMX/RMI ports from untrusted networks.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rce</category><category>deserialization</category><category>dd-trace-java</category><category>java</category></item></channel></rss>