Apache Dubbo security vulnerability CVE-2021-37579: Bypass of the deserialization check - Enterprise Distributed Application Service

This topic describes the causes of Apache Dubbo security vulnerability CVE-2021-37579 and how to fix the vulnerability.

Vulnerability description

In most cases, Dubbo service providers check inbound requests to ensure that the deserialization types of the requests are allowed by the server. However, in one case, attackers can bypass the enabled deserialization check and use the native Java serialization mechanism to trigger deserialization operations.

Vulnerability severity

Medium

Affected users

All users who use Dubbo 2.7.0 to 2.7.12.
All users who use Dubbo 3.0.0 to 3.0.1.

Fixes

Update Dubbo to the specified version based on the existing version that you use.

If you use Dubbo 2.7.x, update Dubbo to 2.7.13.
If you use Dubbo 3.0.x, update Dubbo to 3.0.2.