You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@dubbo.apache.org by Jun Liu <li...@apache.org> on 2021/05/31 01:21:33 UTC

[CVE-2021-30180]RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)

Hi

Severity: low

Vendor:
The Dubbo Project Team

Versions Affected:
Dubbo 2.7.0 to 2.7.9


Description:
Apache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. Only users enables Tag Router may get affected.


Mitigation:
Upgrade to 2.7.10 or the latest 2.7 version. 
https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10
https://dubbo.apache.org/en/blog/2020/05/18/past-releases/

Credit:
This issue was first reported by GitHub Security Lab

Jun