dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:

1. dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable
3. A gadget-chain-compatible library is present on the classpath

Impact

Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendation

• For JDK >= 17: No action is required, but upgrading is strongly encouraged.
• For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
• For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.

Workarounds

Set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false

Credits

This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.