cnvd - cnvd-2021-41088

CNVD-2021-41088

Vulnerability from cnvd - Published: 2021-06-11

Title

Apache Dubbo反序列化漏洞（CNVD-2021-41088）

Description

Apache Dubbo是美国阿帕奇（Apache）基金会的一款基于Java的轻量级RPC（远程过程调用）框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo 2.6.9和2.7.9之前存在反序列化漏洞，该漏洞源于默认支持对提供者接口公开的任意方法的通用调用。攻击者可以控制此RPC附件并将其设置为nativejava以强制对位于第三个参数中的字节数组进行java反序列化。

Severity

高

Patch Name

Apache Dubbo反序列化漏洞（CNVD-2021-41088）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-30179

Impacted products

Name
['Apache Apache Dubbo <2.6.9', 'Apache Apache Dubbo <2.7.9']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-30179",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179"
    }
  },
  "description": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\n\nApache Dubbo 2.6.9\u548c2.7.9\u4e4b\u524d\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u652f\u6301\u5bf9\u63d0\u4f9b\u8005\u63a5\u53e3\u516c\u5f00\u7684\u4efb\u610f\u65b9\u6cd5\u7684\u901a\u7528\u8c03\u7528\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u6b64RPC\u9644\u4ef6\u5e76\u5c06\u5176\u8bbe\u7f6e\u4e3anativejava\u4ee5\u5f3a\u5236\u5bf9\u4f4d\u4e8e\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e2d\u7684\u5b57\u8282\u6570\u7ec4\u8fdb\u884cjava\u53cd\u5e8f\u5217\u5316\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-41088",
  "openTime": "2021-06-11",
  "patchDescription": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\r\n\r\nApache Dubbo 2.6.9\u548c2.7.9\u4e4b\u524d\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u652f\u6301\u5bf9\u63d0\u4f9b\u8005\u63a5\u53e3\u516c\u5f00\u7684\u4efb\u610f\u65b9\u6cd5\u7684\u901a\u7528\u8c03\u7528\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u6b64RPC\u9644\u4ef6\u5e76\u5c06\u5176\u8bbe\u7f6e\u4e3anativejava\u4ee5\u5f3a\u5236\u5bf9\u4f4d\u4e8e\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e2d\u7684\u5b57\u8282\u6570\u7ec4\u8fdb\u884cjava\u53cd\u5e8f\u5217\u5316\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-41088\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache Dubbo \u003c2.6.9",
      "Apache Apache Dubbo \u003c2.7.9"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179",
  "serverity": "\u9ad8",
  "submitTime": "2021-06-03",
  "title": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-41088\uff09"
}

CVE-2021-30179 (GCVE-0-2021-30179)

Vulnerability from cvelistv5 – Published: 2021-05-31 07:25 – Updated: 2024-08-03 22:24

Title

Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter

Summary

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Severity ?

No CVSS data available.

CWE

Remote Code Execution

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/rccbcbdd6593…	x_refsource_MISC
	https://lists.apache.org/thread.html/rccbcbdd6593…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Dubbo	Affected: Apache Dubbo 2.7.x , < 2.7.9 (custom) Affected: Apache Dubbo 2.6.x , < 2.6.9 (custom)

Credits

This issue was first reported by GitHub Security Lab

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:24:59.625Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
          },
          {
            "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Dubbo",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.9",
              "status": "affected",
              "version": "Apache Dubbo 2.7.x",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.9",
              "status": "affected",
              "version": "Apache Dubbo 2.6.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was first reported by GitHub Security Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-31T08:06:16",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
        },
        {
          "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-30179",
          "STATE": "PUBLIC",
          "TITLE": "Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Dubbo",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.7.x",
                            "version_value": "2.7.9"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.6.x",
                            "version_value": "2.6.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was first reported by GitHub Security Lab"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
            },
            {
              "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-30179",
    "datePublished": "2021-05-31T07:25:13",
    "dateReserved": "2021-04-07T00:00:00",
    "dateUpdated": "2024-08-03T22:24:59.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-41088

CVE-2021-30179 (GCVE-0-2021-30179)

Tags

Sightings

Nomenclature