CVE-2021-43297
📋 TL;DR
A deserialization vulnerability in Apache Dubbo's Hessian-lite serialization protocol allows remote attackers to execute arbitrary code by sending specially crafted data. This affects Apache Dubbo versions 2.6.x before 2.6.12, 2.7.x before 2.7.15, and 3.0.x before 3.0.5. The vulnerability is triggered when Hessian logs unexpected exceptions during deserialization, potentially leading to remote command execution.
💻 Affected Systems
- Apache Dubbo
📦 What is this software?
Dubbo by Apache
Dubbo by Apache
Dubbo by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution as the service account running Dubbo, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Remote code execution leading to service disruption, data exfiltration, or installation of backdoors on vulnerable systems.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though exploitation could still cause service disruption.
🎯 Exploit Status
The vulnerability requires sending malicious serialized data to a Dubbo service endpoint, which is often exposed over network protocols.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Dubbo 2.6.12, 2.7.15, or 3.0.5
Vendor Advisory: https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww
Restart Required: Yes
Instructions:
1. Identify all Dubbo instances and their versions. 2. Upgrade to Dubbo 2.6.12, 2.7.15, or 3.0.5 depending on your major version. 3. Restart all Dubbo services after upgrade. 4. Verify the fix by checking version and testing serialization.
🔧 Temporary Workarounds
Disable Hessian serialization
allSwitch to a different serialization protocol if possible, though this may break compatibility with existing clients.
Modify Dubbo configuration to use a different serialization protocol (e.g., JSON, Kryo) in dubbo.properties or application configuration.
Network segmentation and access control
allRestrict network access to Dubbo services to trusted sources only.
Configure firewall rules to allow only trusted IPs to access Dubbo ports (default 20880).
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted sources only.
- Monitor logs for unusual deserialization errors or unexpected exceptions in Hessian processing.
🔍 How to Verify
Check if Vulnerable:
Check Dubbo version via application logs, configuration files, or by querying the service if exposed. Versions 2.6.0-2.6.11, 2.7.0-2.7.14, or 3.0.0-3.0.4 are vulnerable.Check Version:
Check application logs for Dubbo version or inspect configuration files (e.g., dubbo.properties). For running services, use Dubbo's admin interface or query endpoints if available.Verify Fix Applied:
Confirm version is 2.6.12, 2.7.15, or 3.0.5 or higher. Test serialization/deserialization functionality to ensure no regression.📡 Detection & Monitoring
Log Indicators:
- Unexpected exceptions in Hessian deserialization logs
- Stack traces containing 'hessian' or 'deserialize' errors
- Unusual outbound connections from Dubbo services
Network Indicators:
- Malformed serialized data sent to Dubbo ports (default 20880)
- Unusual traffic patterns to Dubbo endpoints
SIEM Query:
Search for logs containing 'Hessian', 'deserialization', or 'Dubbo' with error codes or exceptions, especially from untrusted sources.