{"url":"http://public2.vulnerablecode.io/api/packages/979190?format=json","purl":"pkg:maven/com.splunk/splunk-otel-javaagent@1.8.1","type":"maven","namespace":"com.splunk","name":"splunk-otel-javaagent","version":"1.8.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.26.1","latest_non_vulnerable_version":"2.26.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360198?format=json","vulnerability_id":"VCID-e1dc-wmdh-fkfq","summary":"splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution\nIn versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:\n1. Splunk Distribution of OpenTelemetry Java is attached as a Java agent (`-javaagent`)\n2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)\n3. A gadget-chain-compatible library is present on the classpath\n\n### Impact\nArbitrary remote code execution with the privileges of the user running the instrumented JVM.\n\n### Recommendation\nUpgrade to version 2.26.1 or later.\n\n### Workarounds\nSet the following system property to disable the RMI integration:\n\n```\n-Dotel.instrumentation.rmi.enabled=false\n```\n\n### References\n[Advisory in OpenTelemetry Instrumentation for Java](https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7)","references":[{"reference_url":"https://github.com/signalfx/splunk-otel-java","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/signalfx/splunk-otel-java"},{"reference_url":"https://github.com/signalfx/splunk-otel-java/security/advisories/GHSA-h8w2-rv57-vc6f","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/signalfx/splunk-otel-java/security/advisories/GHSA-h8w2-rv57-vc6f"},{"reference_url":"https://github.com/advisories/GHSA-h8w2-rv57-vc6f","reference_id":"GHSA-h8w2-rv57-vc6f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h8w2-rv57-vc6f"},{"reference_url":"https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7","reference_id":"GHSA-xw7x-h9fj-p2c7","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375269?format=json","purl":"pkg:maven/com.splunk/splunk-otel-javaagent@2.26.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.splunk/splunk-otel-javaagent@2.26.1"}],"aliases":["GHSA-h8w2-rv57-vc6f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e1dc-wmdh-fkfq"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.splunk/splunk-otel-javaagent@1.8.1"}