OpenTelemetry Java Instrumentation RMI Deserialization Vulnerability Leading to Remote Code Execution

A vulnerability in OpenTelemetry Java Instrumentation RMI integration prior to version 2.26.1 allows for unsafe deserialization of incoming data, which could be exploited to achieve remote code execution. This issue affects versions through 2.26.0. The vulnerability arises when OpenTelemetry is attached as a Java agent on JDK 16 or earlier, and the JMX or RMI port is network-accessible. Additionally, a gadget-chain-compatible library must be present on the classpath. Under these conditions, an attacker could exploit the deserialization flaw to execute arbitrary code with the privileges of the user running the instrumented JVM.

Impact

Exploitation of this vulnerability allows for arbitrary remote code execution on the affected JVM, with the same privileges as the user running the JVM.

Remediation

Users should upgrade to OpenTelemetry Java Instrumentation version 2.26.1 or later. For those on JDK versions prior to 17, the RMI integration can be disabled by setting the system property '-Dotel.instrumentation.rmi.enabled=false'.