CVE-2021-25641 – CVE-2021-25641 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2021-25641?

CVE-2021-25641 has a CVSS score of 9.8 (CRITICAL). CVE-2021-25641 is a critical deserialization vulnerability in Apache Dubbo that allows remote unauthenticated attackers to force servers to use insecure deserialization protocols. Attackers can exploit weak deserializers like Kryo or FST to execute arbitrary code on affected systems. This affects all Apache Dubbo servers before versions 2.7.8 or 2.6.9.

📋 TL;DR

CVE-2021-25641 is a critical deserialization vulnerability in Apache Dubbo that allows remote unauthenticated attackers to force servers to use insecure deserialization protocols. Attackers can exploit weak deserializers like Kryo or FST to execute arbitrary code on affected systems. This affects all Apache Dubbo servers before versions 2.7.8 or 2.6.9.

💻 Affected Systems

Products:

Apache Dubbo

Versions: All versions before 2.7.8 and 2.6.9

Operating Systems: All operating systems running Apache Dubbo

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when weak deserializers like Kryo or FST are in the classpath/dependencies.

📦 What is this software?

Dubbo by Apache

View all CVEs affecting Dubbo →

Dubbo by Apache

View all CVEs affecting Dubbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution resulting in service disruption, data exfiltration, and backdoor installation.

🟢

If Mitigated

Attack blocked at network perimeter or by application controls, resulting in failed exploitation attempts.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-based attacks from compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once weak deserializers are identified in the target environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.8 or 2.6.9

Vendor Advisory: https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E

Restart Required: Yes

Instructions:

1. Identify all Apache Dubbo instances. 2. Upgrade to version 2.7.8 or later (for 2.7.x branch) or 2.6.9 or later (for 2.6.x branch). 3. Restart all Dubbo services. 4. Verify the fix by checking version and testing serialization behavior.

🔧 Temporary Workarounds

Remove weak deserializers

all

Remove Kryo, FST, and other insecure deserializers from classpath/dependencies

Remove kryo, fst, and related dependencies from pom.xml or build.gradle
Clean and rebuild application

Network segmentation

linux

Restrict network access to Dubbo services using firewalls

iptables -A INPUT -p tcp --dport 20880 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 20880 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit Dubbo service exposure
Deploy web application firewall (WAF) or intrusion prevention system (IPS) with deserialization attack signatures

🔍 How to Verify

Check if Vulnerable:

Check Dubbo version and dependencies for vulnerable versions and weak deserializers

Check Version:

Check application logs for Dubbo version or inspect pom.xml/build.gradle for version numbers

Verify Fix Applied:

Verify Dubbo version is 2.7.8+ or 2.6.9+ and test serialization protocol enforcement

📡 Detection & Monitoring

Log Indicators:

Unexpected serialization protocol usage
Deserialization errors
Unusual Kryo or FST usage patterns

Network Indicators:

Tampered serialization preamble flags in Dubbo protocol
Unexpected serialization ID changes

SIEM Query:

source="dubbo.logs" AND ("serialization id" OR "Kryo" OR "FST") AND (error OR exception)

📊 Metadata

CVE ID: CVE-2021-25641

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: June 1, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E Mailing List,Vendor Advisory
https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25641, you might also want to check these: