Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI port. Note: This is only exploitable if the agent is attached as a Java agent on Java 16 or earlier, a JMX/RMI port is explicitly configured and network-reachable, and a gadget-chain-compatible library is present on the classpath. How to fix Deserialization of Untrusted Data? Upgrade `com.datadoghq:dd-java-agent` to version 1.60.3 or higher.	[0.40.0,1.60.3)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI port.

Note:

This is only exploitable if the agent is attached as a Java agent on Java 16 or earlier, a JMX/RMI port is explicitly configured and network-reachable, and a gadget-chain-compatible library is present on the classpath.

How to fix Deserialization of Untrusted Data?

Upgrade com.datadoghq:dd-java-agent to version 1.60.3 or higher.

[0.40.0,1.60.3)

Go back to all versions of this package