This vulnerability is a remote code execution (RCE) vulnerability in loading YAML rules. An attacker with access to the configuration center can exploit this vulnerability to upload malicious YAML rules to trigger a deserialization vulnerability.
Vulnerability description
Apache Dubbo supports tag routing rules, which allow consumers to route a request to the valid destination server. The rules are loaded into the configuration center such as ZooKeeper or Nacos and retrieved by the consumers when they make a request so that the consumers can find the valid endpoint.
When the consumers parse these YAML rules, the consumers use the SnakeYAML library to load the rules. By default, the consumers enable calling arbitrary constructors. An attacker with access to the configuration center such as ZooKeeper or Nacos can poison a YAML rule file. This way, the attacker can launch RCE attacks when the rule is retrieved by the consumers.
Vulnerability severity
Low
Affected users
- All users who use Dubbo 2.5.x
- All users who use a Dubbo 2.6.x version earlier than 2.6.10
- All users who use a Dubbo 2.7.x version earlier than 2.7.10
Fixes
Update Dubbo to the specified version based on the existing version that you use.
- If you use Dubbo 2.5.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.7.x, update Dubbo to 2.7.12.