{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rmi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk OpenTelemetry Java Agent"],"_cs_severities":["critical"],"_cs_tags":["rmi","deserialization","rce","javaagent"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe Splunk Distribution of OpenTelemetry Java Agent, in versions prior to 2.26.1, contains a critical vulnerability related to unsafe deserialization within its RMI instrumentation. Specifically, the RMI instrumentation registers a custom endpoint that deserializes incoming data without proper serialization filters. This can be exploited by an attacker with network access to a JMX or RMI port on a JVM instrumented with the affected agent. Successful exploitation requires the agent to be attached via \u003ccode\u003e-javaagent\u003c/code\u003e, a network-reachable RMI endpoint (like JMX), and the presence of a gadget-chain-compatible library on the classpath. This vulnerability was disclosed on March 26, 2026. Defenders should upgrade to version 2.26.1 or implement the provided workaround immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to a target system running a vulnerable version of \u003ccode\u003esplunk-otel-javaagent\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Splunk OpenTelemetry Java Agent is running with \u003ccode\u003e-javaagent\u003c/code\u003e to enable instrumentation.\u003c/li\u003e\n\u003cli\u003eAn RMI endpoint (e.g., JMX remote port) is exposed and network-reachable.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized object containing a gadget chain.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious serialized object to the vulnerable RMI endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esplunk-otel-javaagent\u003c/code\u003e deserializes the object without proper filtering in its RMI instrumentation.\u003c/li\u003e\n\u003cli\u003eThe gadget chain within the deserialized object is triggered, leading to code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the target system with the privileges of the JVM process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows arbitrary remote code execution with the privileges of the user running the instrumented JVM. This can lead to full system compromise, data exfiltration, or denial of service. The impact is considered critical due to the ease of exploitation and the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003esplunk-otel-javaagent\u003c/code\u003e version 2.26.1 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eAs a workaround, set the system property \u003ccode\u003e-Dotel.instrumentation.rmi.enabled=false\u003c/code\u003e to disable the RMI integration.\u003c/li\u003e\n\u003cli\u003eMonitor JVM processes for unexpected network connections, which could indicate exploitation attempts. Use \u003ccode\u003enetwork_connection\u003c/code\u003e logs to detect unusual RMI activity.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering to restrict outbound RMI traffic to known and trusted destinations to limit potential damage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-splunk-otel-rmi-rce/","summary":"A remote code execution vulnerability exists in splunk-otel-javaagent versions prior to 2.26.1 due to unsafe deserialization in RMI instrumentation, potentially allowing attackers with network access to execute arbitrary code on affected systems.","title":"Splunk OpenTelemetry Java Agent RMI Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-splunk-otel-rmi-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Rmi","version":"https://jsonfeed.org/version/1.1"}