GHSA-h8w2-rv57-vc6f: splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:

1. Splunk Distribution of OpenTelemetry Java is attached as a Java agent (-javaagent)
2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)
3. A gadget-chain-compatible library is present on the classpath