Login Sign Up

CVE-2021-30181

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

Apache Dubbo prior to versions 2.6.9 and 2.7.9 contains a remote code execution vulnerability in its Script routing feature. Attackers can exploit this by submitting malicious routing rules that get executed by the ScriptEngine, potentially allowing arbitrary code execution on affected servers. Organizations using vulnerable Dubbo versions with Script routing enabled are affected.

💻 Affected Systems

Products:
  • Apache Dubbo
Versions: All versions prior to 2.6.9 and 2.7.9
Operating Systems: All operating systems running Dubbo
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Script routing feature is enabled and used. Default configurations may not have this feature enabled.

📦 What is this software?

Dubbo by Apache

View all CVEs affecting Dubbo →

Dubbo by Apache

View all CVEs affecting Dubbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, access sensitive data, deploy malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of cryptocurrency miners or ransomware.

🟢

If Mitigated

Limited impact if Script routing is disabled or proper input validation and sandboxing are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted routing rules to vulnerable endpoints. The vulnerability is in the ScriptEngine execution of user-supplied scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.9 and 2.7.9

Vendor Advisory: https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Restart Required: Yes

Instructions:

1. Upgrade Apache Dubbo to version 2.6.9 or 2.7.9 or later. 2. Update dependencies to use the patched version. 3. Restart all Dubbo services. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable Script Routing

all

Disable the Script routing feature if not required for your use case.

Modify Dubbo configuration to remove or disable script routing rules

Network Segmentation

all

Restrict access to Dubbo services to trusted networks only.

Configure firewall rules to limit Dubbo port access (default 20880)

🧯 If You Can't Patch

  • Disable Script routing feature entirely in Dubbo configuration
  • Implement strict input validation and sanitization for all routing rule inputs

🔍 How to Verify

Check if Vulnerable:

Check Dubbo version and configuration. If using version <2.6.9 or <2.7.9 with Script routing enabled, you are vulnerable.

Check Version:

Check application dependencies or run: java -jar your-dubbo-app.jar --version

Verify Fix Applied:

Verify Dubbo version is 2.6.9+ or 2.7.9+ and test that Script routing no longer executes arbitrary code.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script execution in routing logs
  • Errors related to ScriptEngine execution
  • Suspicious routing rule submissions

Network Indicators:

  • Unusual traffic to Dubbo ports (default 20880) with script-like payloads
  • Requests containing JavaScript or other scripting language code

SIEM Query:

source="dubbo" AND ("ScriptEngine" OR "routing.script" OR "javascript:")

📊 Metadata

CVE ID: CVE-2021-30181
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: June 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON