{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/datadog/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dd-trace-java"],"_cs_severities":["critical"],"_cs_tags":["rce","deserialization","dd-trace-java","java"],"_cs_type":"advisory","_cs_vendors":["Datadog"],"content_html":"\u003cp\u003eA critical vulnerability exists in the dd-trace-java library, specifically within its RMI instrumentation. Versions prior to 1.60.3 are susceptible to unsafe deserialization of incoming data on a custom RMI endpoint, potentially leading to remote code execution. This vulnerability affects applications using dd-trace-java as a Java agent on Java 16 or earlier. The exploitability hinges on three conditions: the agent being attached, a JMX/RMI port being explicitly configured and network-reachable, and the presence of a gadget-chain-compatible library on the classpath. This vulnerability, responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program, poses a significant threat to applications instrumented with vulnerable versions of dd-trace-java. Successful exploitation grants the attacker the privileges of the user running the instrumented JVM.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target system running dd-trace-java as a Java agent on JDK 16 or earlier, with a JMX/RMI port exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed JMX/RMI port (typically configured via \u003ccode\u003e-Dcom.sun.management.jmxremote.port\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialized payload using a gadget-chain-compatible library present on the target's classpath.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious serialized payload to the vulnerable RMI endpoint registered by dd-trace-java.\u003c/li\u003e\n\u003cli\u003eThe vulnerable RMI instrumentation in dd-trace-java deserializes the incoming data without proper validation or serialization filters.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the gadget chain within the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary code on the target system, granting the attacker control.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution with the privileges of the user running the instrumented JVM.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for arbitrary remote code execution with the privileges of the user running the instrumented JVM. This could lead to complete system compromise, data theft, denial of service, or further lateral movement within the network. The scope of impact depends on the exposure of JMX/RMI ports and the prevalence of vulnerable dd-trace-java versions within an organization's infrastructure. This vulnerability can affect any application instrumented by dd-trace-java on JDK 16 or earlier where the aforementioned conditions are met.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFor JDK \u0026gt;= 8u121 \u0026lt; JDK 17: Upgrade to dd-trace-java version 1.60.3 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eFor JDK \u0026lt; 8u121 and earlier where serialization filters are not available: Set the environment variable \u003ccode\u003eDD_INTEGRATION_RMI_ENABLED=false\u003c/code\u003e to disable the RMI integration as a workaround.\u003c/li\u003e\n\u003cli\u003eIdentify all systems running dd-trace-java versions prior to 1.60.3 to prioritize patching or applying the workaround.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to JMX/RMI ports (typically TCP ports) for suspicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect dd-trace-java RMI Deserialization Attempt\u0026quot; to detect attempts to exploit this vulnerability by identifying suspicious serialized objects in network traffic to JMX/RMI ports.\u003c/li\u003e\n\u003cli\u003eConsider implementing network segmentation to limit access to JMX/RMI ports from untrusted networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dd-trace-java-rce/","summary":"A remote code execution vulnerability exists in dd-trace-java versions prior to 1.60.3 due to unsafe deserialization in the RMI instrumentation, potentially allowing attackers with network access to a JMX or RMI port to execute arbitrary code on affected systems.","title":"dd-trace-java RMI Deserialization Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-dd-trace-java-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Datadog","version":"https://jsonfeed.org/version/1.1"}