Unsafe Deserialization In Apache Dubbo & Alibaba Dubbo: CVE-2021-25641 / CX-2021-4792

Severity

Severity: 10 - Critical Severity

Advisory Timeline Summary
Affected versions of Apache and Alibaba Dubbo are vulnerable to Remote Code Execution over the Dubbo Protocol. The Dubbo Protocol allows transmitting serialized objects along with header flags that choose which deserializer to use, allowing attackers to choose an unsafe deserialize to use for reading the object - achieving RCE.

Product

  • org.apache.dubbo <= 2.7.9
  • com.alibaba.dubbo <= 2.6.9

Impact

Exploiting this vulnerability could result in RCE in the Dubbo provider instance.

Steps To Reproduce

Follow instructions in Checkmarx Blog

Remediation

  • Upgrade from Alibaba Dubbo to Apache Dubbo; Alibaba Dubbo is no longer maintained
  • Update Apache Dubbo to its latest version

Properties

Attack Vector:Network

Attack Complexity:Low

Privileges Required:None

User Interaction:None

Scope:Changed

Confidentiality:High

Integrity:High

Availability:High

Credit

This issue was discovered and reported by Checkmarx Security Research Team Leader Dor Tumarkin (@dortumarkin).

Resources

  1. Checkmarx Blog
  2. Apache Disclosure