OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) An RMI endpoint …