Skip to content

Remote Code Execution in Apache Dubbo

High severity GitHub Reviewed Published Sep 8, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven org.apache.dubbo:dubbo (Maven)

Affected versions

< 2.7.13
>= 3.0.0, < 3.0.2

Patched versions

2.7.13
3.0.2

Description

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

References

Published by the National Vulnerability Database Sep 7, 2021
Reviewed Sep 8, 2021
Published to the GitHub Advisory Database Sep 8, 2021
Last updated Feb 1, 2023

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2021-36162

GHSA ID

GHSA-r577-4hq7-73qh

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.