<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rmi - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rmi/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rmi/feed.xml" rel="self" type="application/rss+xml"/><item><title>Splunk OpenTelemetry Java Agent RMI Deserialization Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-splunk-otel-rmi-rce/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-splunk-otel-rmi-rce/</guid><description>A remote code execution vulnerability exists in splunk-otel-javaagent versions prior to 2.26.1 due to unsafe deserialization in RMI instrumentation, potentially allowing attackers with network access to execute arbitrary code on affected systems.</description><content:encoded><![CDATA[<p>The Splunk Distribution of OpenTelemetry Java Agent, in versions prior to 2.26.1, contains a critical vulnerability related to unsafe deserialization within its RMI instrumentation. Specifically, the RMI instrumentation registers a custom endpoint that deserializes incoming data without proper serialization filters. This can be exploited by an attacker with network access to a JMX or RMI port on a JVM instrumented with the affected agent. Successful exploitation requires the agent to be attached via <code>-javaagent</code>, a network-reachable RMI endpoint (like JMX), and the presence of a gadget-chain-compatible library on the classpath. This vulnerability was disclosed on March 26, 2026. Defenders should upgrade to version 2.26.1 or implement the provided workaround immediately.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains network access to a target system running a vulnerable version of <code>splunk-otel-javaagent</code>.</li>
<li>The Splunk OpenTelemetry Java Agent is running with <code>-javaagent</code> to enable instrumentation.</li>
<li>An RMI endpoint (e.g., JMX remote port) is exposed and network-reachable.</li>
<li>The attacker crafts a malicious serialized object containing a gadget chain.</li>
<li>The attacker sends the malicious serialized object to the vulnerable RMI endpoint.</li>
<li>The <code>splunk-otel-javaagent</code> deserializes the object without proper filtering in its RMI instrumentation.</li>
<li>The gadget chain within the deserialized object is triggered, leading to code execution.</li>
<li>The attacker executes arbitrary commands on the target system with the privileges of the JVM process.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows arbitrary remote code execution with the privileges of the user running the instrumented JVM. This can lead to full system compromise, data exfiltration, or denial of service. The impact is considered critical due to the ease of exploitation and the potential for significant damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to <code>splunk-otel-javaagent</code> version 2.26.1 or later to patch the vulnerability.</li>
<li>As a workaround, set the system property <code>-Dotel.instrumentation.rmi.enabled=false</code> to disable the RMI integration.</li>
<li>Monitor JVM processes for unexpected network connections, which could indicate exploitation attempts. Use <code>network_connection</code> logs to detect unusual RMI activity.</li>
<li>Implement egress filtering to restrict outbound RMI traffic to known and trusted destinations to limit potential damage.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>rmi</category><category>deserialization</category><category>rce</category><category>javaagent</category></item></channel></rss>