You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@dubbo.apache.org by Jun Liu <li...@apache.org> on 2021/09/08 05:39:09 UTC

[CVE-2021-36161] Formating output of RPC arguments cause RCE

Hi
Severity: low

Vendor:
The Dubbo Project Team

Versions Affected:
Dubbo 2.7.0 to 2.7.12

Description:
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places.

Solution:
Upgrade to 2.7.13 for users using 2.7.x

Credit:
This issue was first reported by Qin Ce from the Huawei

Jun