Tracer Version(s)
1.63.0
Java Version(s)
25
JVM Vendor
Eclipse Adoptium / Temurin
Bug Report
Our enterprise container vulnerability scanner (Google Cloud Artifact Registry Scanner) is flagging a High Severity security vulnerability (CVE-2021-0341, CVSS 7.5) inside the bundled dependencies of dd-java-agent.jar.
The scan specifically isolates the vulnerable code inside the internal shaded namespace folder structure of the agent.
Environment
- Datadog Java Agent Version: 1.63.0 (and 1.60.3)
- Java Version: 25
- Vulnerability Scanner: Google Artifact Registry / Container Scanner (OS Config / Trivy-based)
Flagged Path Evidence
The scanner explicitly unpacks the container layer and identifies the embedded tracking properties here:
xx/dd-java-agent.jar/shared/META-INF/maven/com.datadoghq.okhttp3/okhttp/pom.properties
The configuration inside indicates that the underlying engine is relying on OkHttp 3.12.15, which contains the known CVE-2021-0341 validation flaw. This requires a baseline migration to OkHttp 4.9.2+ (or a secure, patched 3.x branch) to clear the signature.
Impact
While we understand that this library is shaded under the com.datadoghq.okhttp3 namespace and heavily isolated from our main application code paths, modern binary fingerprinting scanners look at the class signatures directly.
Because it is classified as a High severity finding, our automated company CI/CD quality
Expected Behavior
The shaded HTTP transport utility inside dd-java-agent should be bumped to a safe version
Reproduction Code
No response
Tracer Version(s)
1.63.0
Java Version(s)
25
JVM Vendor
Eclipse Adoptium / Temurin
Bug Report
Our enterprise container vulnerability scanner (Google Cloud Artifact Registry Scanner) is flagging a High Severity security vulnerability (
CVE-2021-0341, CVSS 7.5) inside the bundled dependencies ofdd-java-agent.jar.The scan specifically isolates the vulnerable code inside the internal shaded namespace folder structure of the agent.
Environment
Flagged Path Evidence
The scanner explicitly unpacks the container layer and identifies the embedded tracking properties here:
xx/dd-java-agent.jar/shared/META-INF/maven/com.datadoghq.okhttp3/okhttp/pom.propertiesThe configuration inside indicates that the underlying engine is relying on OkHttp 3.12.15, which contains the known
CVE-2021-0341validation flaw. This requires a baseline migration to OkHttp4.9.2+(or a secure, patched 3.x branch) to clear the signature.Impact
While we understand that this library is shaded under the
com.datadoghq.okhttp3namespace and heavily isolated from our main application code paths, modern binary fingerprinting scanners look at the class signatures directly.Because it is classified as a High severity finding, our automated company CI/CD quality
Expected Behavior
The shaded HTTP transport utility inside
dd-java-agentshould be bumped to a safe versionReproduction Code
No response