Apache Dubbo security vulnerability CVE-2021-36162: RCE attacks caused by YAML deserialization - Enterprise Distributed Application Service

This topic describes the cause of Apache Dubbo security vulnerability CVE-2021-36162 and how to fix the vulnerability.

Vulnerability description

Apache Dubbo allows you to overwrite configurations or routing by issuing various rules. The rules are loaded into the configuration center such as ZooKeeper or Nacos and retrieved by the consumers when they make a request so that the consumers can find the valid endpoint.

When you parse YAML rules, you can use the SnakeYAML library to load the rules. By default, these rules enable the calls to arbitrary constructors. Attackers who are granted permissions to the configuration center can tamper with the rules. When you read tampered rules from the registry, you may suffer from remote code execution (RCE) attacks.

Vulnerability severity

Medium

Affected users

All users who use Dubbo 2.7.0 to 2.7.12.
All users who use Dubbo 3.0.0 to 3.0.1.
All users who use Dubbo Admin.

Fixes

Update Dubbo to the specified version based on the existing version that you use.

If you use Dubbo 2.7.x, update Dubbo to 2.7.13.
If you use Dubbo 3.x, update Dubbo to 3.0.2.
If you use Dubbo Admin, update Dubbo Admin to the latest version.