This topic describes the cause, severity, affected versions, and security suggestions of the Apache Dubbo security vulnerability CVE-2021-43297.
Vulnerability description
A remote code execution (RCE) vulnerability exists in Dubbo Hessian Lite 3.2.11 or earlier. When a serialization exception occurs, Hessian Lite will log out some information for users. This may trigger the execution of malicious code in the toString method of a custom bean to initiate RCE attacks.
Vulnerability severity
High
Affected versions
- Apache Dubbo 2.6.0 to 2.6.11
- Apache Dubbo 2.7.0 to 2.7.14
- Apache Dubbo 3.0.0 to 3.0.4
Security suggestions
Update your Apache Dubbo to one of the following versions based on requirements:
- Update Apache Dubbo 2.6.x to 2.6.12.
- Update Apache Dubbo 2.7.x to 2.7.15.
- Update Apache Dubbo 3.0.x to 3.0.5.
If you have no time to fix the vulnerability or to check whether the vulnerability exists, we recommend that you activate Application Real-Time Monitoring Service (ARMS) at the earliest opportunity. The service is developed based on the Runtime Application Self-Protection (RASP) technology and can protect your applications from attacks. For more information, see What is Application Security?.