You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@dubbo.apache.org by Albumen Kevin <al...@apache.org> on 2022/01/10 06:18:25 UTC

CVE-2021-43297: Apache Dubbo: Dubbo Hessian cause RCE when parse error

Severity: high

Description:

A deserialization vulnerability existed in dubbo hessian-lite  3.2.11
and its earlier versions, which could lead to malicious code
execution. Most Dubbo users use Hessian2 as the default
serialization/deserialization protocol, during Hessian catch
unexpected exceptions, Hessian will log out some imformation for
users, which may cause remote command execution. This issue affects
Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo
2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to
3.0.5.

Credit:

There are differences in the use of entrances. The following people or
organizations reported security vulnerabilities independently. Sort by
discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx