Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in OpenTelemetry Java Instrumentation could allow an attacker with network access to a JMX or RMI port to execute arbitrary code on affected Java applications, potentially impacting system integrity and confidentiality. This issue is particularly relevant for Java 16 and earlier versions where specific configuration conditions are met. The main concern is confirming relevance and exposure.
- Unfiltered data input enables remote code execution.
- Matters if using older Java and specific management ports.
- Confirm if your older Java applications are exposed.
Attack Path
How an attacker could exploit the issue
An attacker could reach a Java application's JMX or RMI port if it's network-exposed and running an older JDK with specific OpenTelemetry Java instrumentation. By sending specially crafted data to this port, the attacker could exploit the instrumentation's deserialization flaw to execute arbitrary code on the server.
- Network access to JMX/RMI port required.
- Vulnerable RMI instrumentation triggers deserialization.
- Risk of remote code execution.
Live Threat
Current exploitation, exposure, and threat context
When OpenTelemetry Java instrumentation is used as a Java agent on Java 16 or earlier, with a network-accessible JMX or RMI port, and compatible libraries on the classpath, an attacker could execute arbitrary code on the instrumented system.
- Arbitrary code execution on the JVM.
- Network access to JMX/RMI port.
- Compromise of the user's privileges.
Operational Fix
Recommended remediation, mitigation, and detection steps
Platform or application owners responsible for Java applications using OpenTelemetry instrumentation should prioritize understanding their exposure to this critical vulnerability. The immediate first step is to identify all instances of the affected OpenTelemetry Java instrumentation, confirm if they are running on JDK 16 or earlier and have a network-accessible JMX or RMI port configured, and then verify the presence of gadget-chain-compatible libraries. This will allow for a risk-based remediation plan, which may involve upgrading OpenTelemetry, configuring specific system properties to disable RMI integration, or coordinating with vendor-management teams if the affected application is from a third party.
- Platform and application owners should own this.
- Verify JDK version and RMI port exposure.
- Plan remediation based on confirmed risk.