CVE-2026-33728

描述

In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier 2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable 3. A gadget-chain-compatible library is present on the classpath ### Impact Arbitrary remote code execution with the privileges of the user running the instrumented JVM. ### Recommendation - For JDK >= 17: No action is required, but upgrading is strongly encouraged. - For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later. - For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below. ### Workarounds Set the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false` ### Credits This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.

如何修補 CVE-2026-33728

要修補 CVE-2026-33728,請將受影響套件升級到下列已修補版本。

• —升級至 1.60.3 或更新版本

CVE-2026-33728 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 0.40.0, < 1.60.3

CVSS 分數