Apache Dubbo security vulnerability CVE-2021-36161: RCE attacks caused by the formatted output of RPC parameters - Microservices Engine

This topic describes the causes of Apache Dubbo security vulnerability CVE-2021-36161 and how to fix the vulnerability.

Vulnerability description

Some components in Dubbo attempt to generate formatted strings of input parameters. This may bring remote code execution (RCE) attacks for a maliciously customized bean with the toString method. In the latest version of Dubbo, toString calls in timeout and cache are fixed.

Vulnerability severity

Low

Affected users

All users who use Dubbo 2.7.0 to 2.7.12.

Fixes

If you use Dubbo 2.7.x, update Dubbo to 2.7.13.