Login Sign Up

CVE-2021-36162

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

CVE-2021-36162 is a remote code execution vulnerability in Apache Dubbo that allows attackers with access to the configuration center to poison YAML routing rules. When vulnerable Dubbo consumers retrieve these poisoned rules, the SnakeYAML parser executes arbitrary constructors, leading to RCE on all affected consumer instances. This affects organizations using Apache Dubbo with configuration centers like Zookeeper or Nacos.

💻 Affected Systems

Products:
  • Apache Dubbo
Versions: All versions before 2.7.13 and 3.0.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using configuration centers (Zookeeper, Nacos, etc.) with YAML rule parsing enabled.

📦 What is this software?

Dubbo by Apache

View all CVEs affecting Dubbo →

Dubbo by Apache

View all CVEs affecting Dubbo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of all Dubbo consumer instances, allowing complete control over affected systems and potential lateral movement across the infrastructure.

🟠

Likely Case

RCE on Dubbo consumer instances leading to data theft, service disruption, or deployment of malware/backdoors.

🟢

If Mitigated

Limited to configuration center compromise only, with no impact on consumer instances if patched or workarounds applied.

🌐 Internet-Facing: MEDIUM - Requires access to configuration center which may be internet-facing in some deployments.
🏢 Internal Only: HIGH - Configuration centers are often internal but accessible to various teams, increasing attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires access to configuration center and knowledge of Dubbo's rule format. No public exploit code available but vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Dubbo 2.7.13 or 3.0.2

Vendor Advisory: https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E

Restart Required: Yes

Instructions:

1. Identify all Dubbo instances. 2. Upgrade to Dubbo 2.7.13 or 3.0.2. 3. Restart all Dubbo services. 4. Verify configuration center rules are not compromised.

🔧 Temporary Workarounds

Restrict Configuration Center Access

all

Limit access to configuration centers to authorized personnel only and implement strict access controls.

Validate YAML Rules

all

Implement validation of YAML rules before they are loaded into the configuration center.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate configuration centers from untrusted networks.
  • Monitor configuration center access logs for unauthorized modifications to routing rules.

🔍 How to Verify

Check if Vulnerable:

Check Dubbo version: if using version <2.7.13 or <3.0.2 and using configuration centers with YAML rules, system is vulnerable.

Check Version:

Check application logs or use Dubbo's admin interface to verify version. For Java applications: System.getProperty("dubbo.version") or check pom.xml/dependencies.

Verify Fix Applied:

Verify Dubbo version is 2.7.13 or higher (2.x branch) or 3.0.2 or higher (3.x branch). Test YAML rule parsing with safe test rules.

📡 Detection & Monitoring

Log Indicators:

  • Unusual YAML parsing errors in Dubbo logs
  • Unexpected Java class loading in consumer instances
  • Configuration center access from unauthorized sources

Network Indicators:

  • Unusual traffic from configuration center to Dubbo consumers
  • Suspicious outbound connections from Dubbo instances post-configuration retrieval

SIEM Query:

source="dubbo.logs" AND ("YAML" OR "SnakeYAML") AND ("error" OR "exception") OR source="config-center" AND "modify" AND "rules"

📊 Metadata

CVE ID: CVE-2021-36162
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: September 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON