Amine123Ait

**Name of the Vulnerable Software and Affected Versions** dd-trace-java versions 0.40.0 through prior to 1.60.2 **Description** dd-trace-java is a Datadog APM client for Java. The RMI instrumentation in affected versions registered a custom endpoint that deserialized incoming data without applying serialization filters. On Java Development Kit (JDK) version 16 and earlier, an attacker with network access to a Java Management Extensions (JMX) or Remote Method Invocation (RMI) port on an instrumented Java Virtual Machine (JVM) could potentially achieve remote code execution. Three conditions must be met for exploitation: First, dd-trace-java must be attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, a JMX/RMI port must be explicitly configured via `-Dcom.sun.management.jmxremote.port` and be network-reachable. Third, a gadget-chain-compatible library must be present on the classpath. The vulnerability involves unsafe deserialization, which could lead to arbitrary remote code execution with the privileges of the user running the instrumented JVM. **Recommendations** For JDK versions 17 and later: No action is required, but upgrading is strongly encouraged. For JDK versions 8u121 through prior to 17: Upgrade to dd-trace-java version 1.60.3 or later. For JDK versions earlier than 8u121 where serialization filters are not available: Set the environment variable `DD INTEGRATION RMI ENABLED=false` to disable the RMI integration.