CVE-2026-33701
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
描述
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation Upgrade to version 2.26.1 or later. ### Workarounds Set the following system property to disable the RMI integration: ``` -Dotel.instrumentation.rmi.enabled=false ``` ### Credits This vulnerability was responsibly disclosed in coordination with Datadog.
如何修補 CVE-2026-33701
要修補 CVE-2026-33701,請將受影響套件升級到下列已修補版本。
- —升級至 2.26.1 或更新版本
CVE-2026-33701 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 2.26.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
參考連結(5)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33701
- PATCHgithub.com/open-telemetry/opentelemetry-java-instrumentation
- WEBgithub.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197
- WEBgithub.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1