The dd-trace-java agent versions 0.40.0 up to but not including 1.60.3 contain a deserialization of untrusted data vulnerability (CWE-502) in their RMI instrumentation endpoint. This endpoint deserializes data without serialization filters on JDK 16 and earlier, allowing an attacker with network access to a configured JMX/RMI port to potentially execute remote code if a gadget-chain-compatible library is present. The vulnerability requires three conditions: the agent attached as a Java agent on JDK 16 or earlier, a network-reachable JMX/RMI port configured, and a suitable gadget chain on the classpath. JDK 17 and later are not affected. Mitigation includes upgrading to dd-trace-java 1.60.3 or later for JDK 8u121 through JDK 16, or disabling RMI integration via environment variable for older JDK versions lacking serialization filters.

An attacker with network access to a configured JMX or RMI port on an instrumented JVM running dd-trace-java versions 0.40.0 to prior to 1.60.3 on JDK 16 or earlier can potentially achieve remote code execution. This could allow full compromise of the affected system. The vulnerability is critical with a CVSS 4.0 base score of 9.3, indicating high impact and ease of exploitation under the specified conditions.

A fix is available by upgrading dd-trace-java to version 1.60.3 or later for JDK versions 8u121 through 16. For JDK 17 and later, no action is required, though upgrading is recommended. For JDK versions earlier than 8u121 where serialization filters are unavailable, apply the workaround by setting the environment variable DD_INTEGRATION_RMI_ENABLED=false to disable the vulnerable RMI integration. These steps effectively mitigate the vulnerability.