Datadog dd-trace-java RMI Instrumentation Deserialization Vulnerability Leading to Remote Code Execution

A vulnerability exists in the Datadog APM client for Java, specifically in the dd-trace-java library, versions 0.40.0 through prior to 1.60.2. The issue arises in the RMI instrumentation, which registered a custom endpoint that deserialized incoming data without applying necessary serialization filters. This flaw creates a potential for remote code execution on JDK versions 16 and earlier. Exploitation requires that dd-trace-java be attached as a Java agent on a compatible JVM, a JMX or RMI port be explicitly configured and network-reachable, and a gadget-chain-compatible library be present on the classpath.

Impact

Exploitation of this vulnerability could lead to arbitrary remote code execution on the affected system, with the same privileges as the user running the instrumented JVM.

Remediation

Users on JDK 17 or later do not need to take any action, but upgrading is strongly recommended. For JDK versions 8u121 and earlier, users should upgrade to dd-trace-java version 1.60.3 or later. For JDK versions prior to 8u121 where serialization filters are not available, the RMI integration can be disabled by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false.