Insecure deserialization In com.datadoghq:dd-java-agent
Description
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier
A JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable
A gadget-chain-compatible library is present on the classpath
Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Recommendation
For JDK >= 17: No action is required, but upgrading is strongly encouraged.
For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.
Workarounds
Set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false
Credits
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 1.60.3 |
Aliases
References