Apache Dubbo security vulnerability CVE-2021-36163: Program deserialization vulnerability of Dubbo service providers who use the Hessian protocol - Enterprise Distributed Application Service

This topic describes the causes of Apache Dubbo security vulnerability CVE-2021-36163 and how to fix the vulnerability.

Vulnerability description

You can use the Hessian protocol. Hessian is an HTTP-based protocol. It can directly pass the body of a POST request to a HessianSkeleton.

New HessianSkeleton are created without any configuration of the serialization factory. Therefore, the registry access lists of Dubbo in earlier versions are not applied. By default, the allowed or blocked type lists are not configured for a HessianSkeleton.

Vulnerability severity

Low

Affected users

All users who use Dubbo 2.6.10 or earlier.
All users who use Dubbo 2.7.0 to 2.7.12.

Fixes

Update Dubbo to the specified version based on the existing version that you use.

If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.13.
If you use Dubbo 2.7.x, update Dubbo to 2.7.13.