Implement workaround in accumulo-env.sh for OpenTelemetry CVE (#6288)

dlmarion · ddanielr · web-flow · commit ffbfb3eb550a · 2026-04-02T14:53:46.000-04:00
Added a system property in accumulo-env.sh to disable the RMI instrumentation of the OpenTelemetry Java Agent. See https://github.com/apache/accumulo/security/dependabot/25 for more information. Co-authored-by: Daniel Roberts <ddanielr@gmail.com>
diff --git a/assemble/conf/accumulo-env.sh b/assemble/conf/accumulo-env.sh
@@ -117,6 +117,8 @@ JAVA_OPTS=("-Daccumulo.log.dir=${ACCUMULO_LOG_DIR}"
   "-Dlog4j2.statusLoggerLevel=ERROR"
   "-Dlog4j2.contextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector"
   "-Dotel.service.name=${ACCUMULO_SERVICE_INSTANCE}"
+  # Mitigation for CVE-2026-33701
+  "-Dotel.instrumentation.rmi.enabled=false"
   "${JAVA_OPTS[@]}"
 )
 

Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,8 @@ JAVA_OPTS=("-Daccumulo.log.dir=${ACCUMULO_LOG_DIR}"`
`117`	`117`	`"-Dlog4j2.statusLoggerLevel=ERROR"`
`118`	`118`	`"-Dlog4j2.contextSelector=org.apache.logging.log4j.core.async.AsyncLoggerContextSelector"`
`119`	`119`	`"-Dotel.service.name=${ACCUMULO_SERVICE_INSTANCE}"`
	`120`	`+ # Mitigation for CVE-2026-33701`
	`121`	`+ "-Dotel.instrumentation.rmi.enabled=false"`
`120`	`122`	`"${JAVA_OPTS[@]}"`
`121`	`123`	`)`
`122`	`124`