Apache Dubbo security vulnerability CVE-2021-32824: RCE vulnerability in the Telnet handler - Enterprise Distributed Application Service

A remote code execution (RCE) vulnerability exists in the Telnet handler. Attackers can exploit this vulnerability to construct and send malicious requests by using the Telnet interface.

Vulnerability description

The primary service port of Apache Dubbo (Dubbo for short) can be used to access the Telnet handler. An RCE vulnerability exists in the Invoke handler. Attackers can use the Invoke handler of the Telnet interface to construct and send malicious requests.

Vulnerability severity

Medium

Affected users

All users who use Dubbo 2.5.x
All users who use a Dubbo 2.6.x version earlier than 2.6.10
All users who use a Dubbo 2.7.x version earlier than 2.7.10

Fixes

To prevent this vulnerability, you can update Dubbo or modify the configuration file of your application.

Update Dubbo.
- If you use Dubbo 2.5.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.7.x, update Dubbo to 2.7.12.
Disable Telnet by configuring dubbo.provider.telnet=exit in the configuration file, such as application.properties, of your application.