Nashorn scripts are prone to a remote code execution (RCE) vulnerability. An attacker with access to the configuration center can exploit this vulnerability to upload malicious Nashorn scripts to launch RCE attacks.
Vulnerability description
Apache Dubbo (Dubbo for short) supports script routing rules, which allow consumers to route a request to the valid destination server. The rules are loaded into the configuration center such as ZooKeeper or Nacos and retrieved by the consumers when they make a request so that the consumers can find the valid endpoint.
When the consumers parse these rules, the consumers use the JRE ScriptEngineManager class to load an ScriptEngine and run the rules provided by the Nashorn scripts. By default, the rules enable executing arbitrary Java code.
An attacker with access to the configuration center such as ZooKeeper or Nacos can poison a script rule file. This way, the attacker can launch RCE attacks when the rule is retrieved by the consumers.
Vulnerability severity
Low
Affected users
- All users who use Dubbo 2.5.x
- All users who use a Dubbo 2.6.x version earlier than 2.6.10
- All users who use a Dubbo 2.7.x version earlier than 2.7.10
Fixes
Update Dubbo to the specified version based on the existing version that you use.
- If you use Dubbo 2.5.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.7.x, update Dubbo to 2.7.12.