CVE-2021-36163
📋 TL;DR
Apache Dubbo's Hessian protocol implementation has a critical deserialization vulnerability that allows unauthenticated remote code execution. Attackers can exploit this by sending malicious POST requests to exposed generic services without needing valid service/method names. All Apache Dubbo deployments using Hessian protocol are affected.
💻 Affected Systems
- Apache Dubbo
📦 What is this software?
Dubbo by Apache
Dubbo by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with full remote code execution, data exfiltration, and lateral movement within the network.
Likely Case
Remote code execution leading to data theft, service disruption, and potential ransomware deployment.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation is straightforward as attackers don't need valid service/method names. Public exploit code exists for similar Hessian deserialization vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.13 or 2.6.10.1
Vendor Advisory: https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E
Restart Required: Yes
Instructions:
1. Identify Apache Dubbo version. 2. Upgrade to 2.7.13 or 2.6.10.1. 3. Restart all Dubbo services. 4. Verify the fix by checking version and testing Hessian endpoints.
🔧 Temporary Workarounds
Disable Hessian Protocol
allRemove or disable Hessian protocol configuration if not required for business operations.
Modify dubbo.properties or application configuration to remove Hessian protocol references
Network Access Control
linuxRestrict network access to Dubbo Hessian endpoints using firewall rules.
iptables -A INPUT -p tcp --dport [dubbo-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [dubbo-port] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Dubbo services from untrusted networks
- Deploy web application firewall (WAF) with deserialization attack detection rules
🔍 How to Verify
Check if Vulnerable:
Check Dubbo configuration for Hessian protocol usage and verify version is below 2.7.13 or 2.6.10.1Check Version:
Check application logs or use Dubbo admin console to verify versionVerify Fix Applied:
Confirm version is 2.7.13 or higher (2.6.10.1 or higher for 2.6.x) and test Hessian endpoints with security scanning tools📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Hessian endpoints
- Deserialization errors in logs
- Unexpected process execution
Network Indicators:
- Malformed serialized objects in HTTP POST bodies
- Exploit payload patterns in network traffic
SIEM Query:
source="dubbo" AND (method="POST" AND uri="*hessian*" AND size>10000) OR error="deserialization"