CVE-2021-25641
published 2021-06-01CVE-2021-25641: Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.67%
96.8th percentile
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | dubbo | >= 2.5.0 < 2.6.9 | 2.6.9 |
| apache | dubbo | >= 2.7.0 < 2.7.8 | 2.7.8 |
| apache_software_foundation | apache_dubbo | >= Apache Dubbo 2.6.x < 2.6.9 | 2.6.9 |
| apache_software_foundation | apache_dubbo | >= Apache Dubbo 2.7.x < 2.7.8 | 2.7.8 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Deserializer tampering in Apache Dubbo
osv·2022-03-18
CVE-2021-25641 [CRITICAL] Deserializer tampering in Apache Dubbo
Deserializer tampering in Apache Dubbo
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
GHSA
Deserializer tampering in Apache Dubbo
ghsa·2022-03-18
CVE-2021-25641 [CRITICAL] CWE-502 Deserializer tampering in Apache Dubbo
Deserializer tampering in Apache Dubbo
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-01
Published