cnvd - cnvd-2021-39669

cnvd-2021-39669

Vulnerability from cnvd

Title: Apache Dubbo反序列化漏洞（CNVD-2021-39669）

Description:

Apache Dubbo 是Apache基金会的基于Java的高性能开源RPC框架。

Apache Dubbo 2.7.8和2.6.9之前版本存在反序列化漏洞。攻击者可利用该漏洞通过篡改字节前导标志，指定比较脆弱的deserializer，从而进一步利用。

Severity: 高

Patch Name: Apache Dubbo反序列化漏洞（CNVD-2021-39669）的补丁

Patch Description:

Apache Dubbo 是Apache基金会的基于Java的高性能开源RPC框架。

Apache Dubbo 2.7.8和2.6.9之前版本存在反序列化漏洞。攻击者可利用该漏洞通过篡改字节前导标志，指定比较脆弱的deserializer，从而进一步利用。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://github.com/apache/dubbo/

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25641

Impacted products

Name
['Apache Apache Dubbo <2.6.9', 'Apache Apache Dubbo <2.7.8']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-25641",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-25641"
    }
  },
  "description": "Apache Dubbo \u662fApache\u57fa\u91d1\u4f1a\u7684\u57fa\u4e8eJava\u7684\u9ad8\u6027\u80fd\u5f00\u6e90RPC\u6846\u67b6\u3002\n\nApache Dubbo 2.7.8\u548c2.6.9\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7be1\u6539\u5b57\u8282\u524d\u5bfc\u6807\u5fd7\uff0c\u6307\u5b9a\u6bd4\u8f83\u8106\u5f31\u7684deserializer\uff0c\u4ece\u800c\u8fdb\u4e00\u6b65\u5229\u7528\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://github.com/apache/dubbo/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-39669",
  "openTime": "2021-06-05",
  "patchDescription": "Apache Dubbo \u662fApache\u57fa\u91d1\u4f1a\u7684\u57fa\u4e8eJava\u7684\u9ad8\u6027\u80fd\u5f00\u6e90RPC\u6846\u67b6\u3002\r\n\r\nApache Dubbo 2.7.8\u548c2.6.9\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u7be1\u6539\u5b57\u8282\u524d\u5bfc\u6807\u5fd7\uff0c\u6307\u5b9a\u6bd4\u8f83\u8106\u5f31\u7684deserializer\uff0c\u4ece\u800c\u8fdb\u4e00\u6b65\u5229\u7528\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-39669\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache Dubbo \u003c2.6.9",
      "Apache Apache Dubbo \u003c2.7.8"
    ]
  },
  "referenceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25641",
  "serverity": "\u9ad8",
  "submitTime": "2021-06-01",
  "title": "Apache Dubbo\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CNVD-2021-39669\uff09"
}

CVE-2021-25641 (GCVE-0-2021-25641)

Vulnerability from cvelistv5

Published

2021-05-29 07:30

Modified

2024-08-03 20:11

Severity ?

CWE

Remote Code Execution by tempering the serialization id on server side.

Summary

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

References

▼	URL	Tags
	https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Dubbo	Version: Apache Dubbo 2.7.x < 2.7.8 Version: Apache Dubbo 2.6.x < 2.6.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:27.972Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Dubbo",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.7.8",
              "status": "affected",
              "version": "Apache Dubbo 2.7.x",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.9",
              "status": "affected",
              "version": "Apache Dubbo 2.6.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server\u0027s instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution by tempering the serialization id on server side.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-29T07:30:12",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Dubbo Zookeeper does not check serialization id",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "Serialization being tampered by attackers",
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-25641",
          "STATE": "PUBLIC",
          "TITLE": "Dubbo Zookeeper does not check serialization id"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Dubbo",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.7.x",
                            "version_value": "2.7.8"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache Dubbo 2.6.x",
                            "version_value": "2.6.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server\u0027s instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution by tempering the serialization id on server side."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-25641",
    "datePublished": "2021-05-29T07:30:12",
    "dateReserved": "2021-01-20T00:00:00",
    "dateUpdated": "2024-08-03T20:11:27.972Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted