cvelistv5 - cve-2021-30179

CVE-2021-30179 (GCVE-0-2021-30179)

Vulnerability from cvelistv5 – Published: 2021-05-31 07:25 – Updated: 2024-08-03 22:24

Title

Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter

Summary

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Severity ?

No CVSS data available.

CWE

Remote Code Execution

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/rccbcbdd6593…	x_refsource_MISC
	https://lists.apache.org/thread.html/rccbcbdd6593…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Dubbo	Affected: Apache Dubbo 2.7.x , < 2.7.9 (custom) Affected: Apache Dubbo 2.6.x , < 2.6.9 (custom)

Credits

This issue was first reported by GitHub Security Lab

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:24:59.625Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
          },
          {
            "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Dubbo",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.9",
              "status": "affected",
              "version": "Apache Dubbo 2.7.x",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.9",
              "status": "affected",
              "version": "Apache Dubbo 2.6.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was first reported by GitHub Security Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-31T08:06:16",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
        },
        {
          "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-30179",
          "STATE": "PUBLIC",
          "TITLE": "Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Dubbo",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.7.x",
                            "version_value": "2.7.9"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.6.x",
                            "version_value": "2.6.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was first reported by GitHub Security Lab"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
            },
            {
              "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-30179",
    "datePublished": "2021-05-31T07:25:13",
    "dateReserved": "2021-04-07T00:00:00",
    "dateUpdated": "2024-08-03T22:24:59.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.5.0\", \"versionEndIncluding\": \"2.5.10\", \"matchCriteriaId\": \"6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.6.0\", \"versionEndExcluding\": \"2.6.9\", \"matchCriteriaId\": \"3C659B7D-78C2-44C4-8F42-E51EDA80B16E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.7.0\", \"versionEndExcluding\": \"2.7.10\", \"matchCriteriaId\": \"6A6C2034-505D-477A-83EE-E7ECDDD142A9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.\"}, {\"lang\": \"es\", \"value\": \"Apache Dubbo versiones anteriores a 2.6.9 y 2.7.9, por defecto admite llamadas gen\\u00e9ricas a m\\u00e9todos arbitrarios expuestos por interfaces de proveedor. Estas invocaciones son manejadas por la funci\\u00f3n GenericFilter que encontrar\\u00e1 el servicio y m\\u00e9todo especificado en los primeros argumentos de la invocaci\\u00f3n y usar\\u00e1 la API de Java Reflection para realizar la llamada final. La firma para los m\\u00e9todos $invoke o $invokeAsync es Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; donde el primer argumento es el nombre del m\\u00e9todo a invocar, el segundo es una matriz con los tipos de par\\u00e1metros para el m\\u00e9todo que es invocado y el tercero es una matriz con los argumentos de llamada reales. Adem\\u00e1s, la persona que llama tambi\\u00e9n debe ajustar un adjunto RPC que especifique que la llamada es una llamada gen\\u00e9rica y c\\u00f3mo decodificar los argumentos. Los valores posibles son: - true - raw.return - nativejava - bean - protobuf-json Un atacante puede controlar este adjunto RPC y ajustarlo en nativejava para forzar la deserializaci\\u00f3n java de la matriz de bytes ubicada en el tercer argumento\"}]",
      "id": "CVE-2021-30179",
      "lastModified": "2024-11-21T06:03:28.210",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-06-01T14:15:09.910",
      "references": "[{\"url\": \"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-30179\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-06-01T14:15:09.910\",\"lastModified\":\"2024-11-21T06:03:28.210\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.\"},{\"lang\":\"es\",\"value\":\"Apache Dubbo versiones anteriores a 2.6.9 y 2.7.9, por defecto admite llamadas gen\u00e9ricas a m\u00e9todos arbitrarios expuestos por interfaces de proveedor. Estas invocaciones son manejadas por la funci\u00f3n GenericFilter que encontrar\u00e1 el servicio y m\u00e9todo especificado en los primeros argumentos de la invocaci\u00f3n y usar\u00e1 la API de Java Reflection para realizar la llamada final. La firma para los m\u00e9todos $invoke o $invokeAsync es Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; donde el primer argumento es el nombre del m\u00e9todo a invocar, el segundo es una matriz con los tipos de par\u00e1metros para el m\u00e9todo que es invocado y el tercero es una matriz con los argumentos de llamada reales. Adem\u00e1s, la persona que llama tambi\u00e9n debe ajustar un adjunto RPC que especifique que la llamada es una llamada gen\u00e9rica y c\u00f3mo decodificar los argumentos. Los valores posibles son: - true - raw.return - nativejava - bean - protobuf-json Un atacante puede controlar este adjunto RPC y ajustarlo en nativejava para forzar la deserializaci\u00f3n java de la matriz de bytes ubicada en el tercer argumento\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndIncluding\":\"2.5.10\",\"matchCriteriaId\":\"6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.9\",\"matchCriteriaId\":\"3C659B7D-78C2-44C4-8F42-E51EDA80B16E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.7.0\",\"versionEndExcluding\":\"2.7.10\",\"matchCriteriaId\":\"6A6C2034-505D-477A-83EE-E7ECDDD142A9\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}

GHSA-5MC7-M686-P6JG

Vulnerability from github – Published: 2022-03-18 17:57 – Updated: 2022-03-18 17:57

Summary

Deserialization of Untrusted Data in Apache Dubbo

Details

Apache Dubbo prior to 2.6.9 and 2.7.10 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.7.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.alibaba:dubbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-30179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-02T20:18:30Z",
    "nvd_published_at": "2021-06-01T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache Dubbo prior to 2.6.9 and 2.7.10 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.",
  "id": "GHSA-5mc7-m686-p6jg",
  "modified": "2022-03-18T17:57:32Z",
  "published": "2022-03-18T17:57:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deserialization of Untrusted Data in Apache Dubbo"
}

FKIE_CVE-2021-30179

Vulnerability from fkie_nvd - Published: 2021-06-01 14:15 - Updated: 2024-11-21 06:03

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E	Mailing List, Vendor Advisory
security@apache.org	https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E	Mailing List, Vendor Advisory

Impacted products

Vendor	Product	Version
apache	dubbo	*
apache	dubbo	*
apache	dubbo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B",
              "versionEndIncluding": "2.5.10",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C659B7D-78C2-44C4-8F42-E51EDA80B16E",
              "versionEndExcluding": "2.6.9",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A6C2034-505D-477A-83EE-E7ECDDD142A9",
              "versionEndExcluding": "2.7.10",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
    },
    {
      "lang": "es",
      "value": "Apache Dubbo versiones anteriores a 2.6.9 y 2.7.9, por defecto admite llamadas gen\u00e9ricas a m\u00e9todos arbitrarios expuestos por interfaces de proveedor. Estas invocaciones son manejadas por la funci\u00f3n GenericFilter que encontrar\u00e1 el servicio y m\u00e9todo especificado en los primeros argumentos de la invocaci\u00f3n y usar\u00e1 la API de Java Reflection para realizar la llamada final. La firma para los m\u00e9todos $invoke o $invokeAsync es Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; donde el primer argumento es el nombre del m\u00e9todo a invocar, el segundo es una matriz con los tipos de par\u00e1metros para el m\u00e9todo que es invocado y el tercero es una matriz con los argumentos de llamada reales. Adem\u00e1s, la persona que llama tambi\u00e9n debe ajustar un adjunto RPC que especifique que la llamada es una llamada gen\u00e9rica y c\u00f3mo decodificar los argumentos. Los valores posibles son: - true - raw.return - nativejava - bean - protobuf-json Un atacante puede controlar este adjunto RPC y ajustarlo en nativejava para forzar la deserializaci\u00f3n java de la matriz de bytes ubicada en el tercer argumento"
    }
  ],
  "id": "CVE-2021-30179",
  "lastModified": "2024-11-21T06:03:28.210",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-06-01T14:15:09.910",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-30179

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-30179

Aliases

CVE-2021-30179

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-30179",
    "description": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.",
    "id": "GSD-2021-30179"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-30179"
      ],
      "details": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.",
      "id": "GSD-2021-30179",
      "modified": "2023-12-13T01:23:30.604283Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-30179",
        "STATE": "PUBLIC",
        "TITLE": "Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Dubbo",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache Dubbo 2.7.x",
                          "version_value": "2.7.9"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache Dubbo 2.6.x",
                          "version_value": "2.6.9"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "This issue was first reported by GitHub Security Lab"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Remote Code Execution"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
          },
          {
            "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.5.0,2.6.9)",
          "affected_versions": "All versions starting from 2.5.0 before 2.6.9",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2022-03-21",
          "description": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call.",
          "fixed_versions": [
            "2.6.9"
          ],
          "identifier": "CVE-2021-30179",
          "identifiers": [
            "GHSA-5mc7-m686-p6jg",
            "CVE-2021-30179"
          ],
          "not_impacted": "All versions before 2.5.0, all versions starting from 2.6.9",
          "package_slug": "maven/com.alibaba/dubbo",
          "pubdate": "2022-03-18",
          "solution": "Upgrade to version 2.6.9 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-30179",
            "https://github.com/advisories/GHSA-5mc7-m686-p6jg"
          ],
          "uuid": "26555704-e39a-40a9-886b-bdd7bd4d4d5e"
        },
        {
          "affected_range": "[2.5.0,2.5.10],[2.6.0,2.6.9),[2.7.0,2.7.10)",
          "affected_versions": "All versions starting from 2.5.0 up to 2.5.10, all versions starting from 2.6.0 before 2.6.9, all versions starting from 2.7.0 before 2.7.10",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2021-06-10",
          "description": "Apache Dubbo by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments.",
          "fixed_versions": [
            "2.7.10"
          ],
          "identifier": "CVE-2021-30179",
          "identifiers": [
            "CVE-2021-30179"
          ],
          "not_impacted": "All versions before 2.5.0, all versions after 2.5.10 before 2.6.0, all versions starting from 2.6.9 before 2.7.0, all versions starting from 2.7.10",
          "package_slug": "maven/org.apache.dubbo/dubbo",
          "pubdate": "2021-06-01",
          "solution": "Upgrade to version 2.7.10 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-30179"
          ],
          "uuid": "2c43a75c-6a0e-4a58-b62e-ce26a5533b3e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.5.10",
                "versionStartIncluding": "2.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.9",
                "versionStartIncluding": "2.6.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.10",
                "versionStartIncluding": "2.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-30179"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[dubbo-dev] 20210531 [CVE-2021-30179]Pre-auth RCE via Java deserialization in the Generic filter",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-06-10T13:57Z",
      "publishedDate": "2021-06-01T14:15Z"
    }
  }
}

CNVD-2021-41088

Vulnerability from cnvd - Published: 2021-06-11

Title

Apache Dubbo反序列化漏洞（CNVD-2021-41088）

Description

Apache Dubbo是美国阿帕奇（Apache）基金会的一款基于Java的轻量级RPC（远程过程调用）框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo 2.6.9和2.7.9之前存在反序列化漏洞，该漏洞源于默认支持对提供者接口公开的任意方法的通用调用。攻击者可以控制此RPC附件并将其设置为nativejava以强制对位于第三个参数中的字节数组进行java反序列化。

Severity

高

Patch Name

Apache Dubbo反序列化漏洞（CNVD-2021-41088）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-30179

Impacted products

Name
['Apache Apache Dubbo <2.6.9', 'Apache Apache Dubbo <2.7.9']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-30179",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179"
    }
  },
  "description": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\n\nApache Dubbo 2.6.9\u548c2.7.9\u4e4b\u524d\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u652f\u6301\u5bf9\u63d0\u4f9b\u8005\u63a5\u53e3\u516c\u5f00\u7684\u4efb\u610f\u65b9\u6cd5\u7684\u901a\u7528\u8c03\u7528\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u6b64RPC\u9644\u4ef6\u5e76\u5c06\u5176\u8bbe\u7f6e\u4e3anativejava\u4ee5\u5f3a\u5236\u5bf9\u4f4d\u4e8e\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e2d\u7684\u5b57\u8282\u6570\u7ec4\u8fdb\u884cjava\u53cd\u5e8f\u5217\u5316\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-41088",
  "openTime": "2021-06-11",
  "patchDescription": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\r\n\r\nApache Dubbo 2.6.9\u548c2.7.9\u4e4b\u524d\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u9ed8\u8ba4\u652f\u6301\u5bf9\u63d0\u4f9b\u8005\u63a5\u53e3\u516c\u5f00\u7684\u4efb\u610f\u65b9\u6cd5\u7684\u901a\u7528\u8c03\u7528\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u6b64RPC\u9644\u4ef6\u5e76\u5c06\u5176\u8bbe\u7f6e\u4e3anativejava\u4ee5\u5f3a\u5236\u5bf9\u4f4d\u4e8e\u7b2c\u4e09\u4e2a\u53c2\u6570\u4e2d\u7684\u5b57\u8282\u6570\u7ec4\u8fdb\u884cjava\u53cd\u5e8f\u5217\u5316\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-41088\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache Dubbo \u003c2.6.9",
      "Apache Apache Dubbo \u003c2.7.9"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179",
  "serverity": "\u9ad8",
  "submitTime": "2021-06-03",
  "title": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-41088\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-30179 (GCVE-0-2021-30179)

GHSA-5MC7-M686-P6JG

FKIE_CVE-2021-30179

GSD-2021-30179

CNVD-2021-41088

Tags

Sightings

Nomenclature