CVE-2021-25641

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

History

No history.

Information

Published : 2021-06-01 14:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-25641

Mitre link : CVE-2021-25641

CVE.ORG link : CVE-2021-25641

JSON object : View

Products Affected

apache

dubbo

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2021-25641", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-06-01T14:15:09.737", "references": [{"url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."}, {"lang": "es", "value": "Cada servidor Apache Dubbo ajusta una identificaci\u00f3n de serializaci\u00f3n para indicar a los clientes en qu\u00e9 protocolo de serializaci\u00f3n est\u00e1 trabajando. Pero para Dubbo versiones anteriores a la 2.7.8 o 2.6.9, un atacante puede elegir qu\u00e9 ID de serializaci\u00f3n usar\u00e1 el Proveedor alterando los flags de pre\u00e1mbulo de bytes, es decir, sin seguir las instrucciones del servidor. Esto significa que si un deserializador d\u00e9bil como Kryo y FST est\u00e1n de alguna manera en el alcance del c\u00f3digo (por ejemplo, si Kryo es de alguna manera parte de una dependencia), un atacante remoto no autenticado puede decirle al Proveedor que use el deserializador d\u00e9bil y luego proceder a explotarlo"}], "lastModified": "2021-06-10T13:28:56.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35FDD1BF-2F98-47A3-810B-244ADABF883D", "versionEndExcluding": "2.6.9", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A18E0E5C-4E03-4F13-A368-A63B8118AACF", "versionEndExcluding": "2.7.8", "versionStartIncluding": "2.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}