Critical Apache Dubbo CVE-2021-43297 Vulnerability: Risks and Fixes

1 Vulnerability Overview

On 2022-01-14, 360CERT observed that Apache released a security advisory for Apache Dubbo hessian-lite, identifying CVE-2021-43297 as a high-severity (CVSS 7.5) vulnerability.

Dubbo is a high-performance, lightweight open-source Java RPC framework offering interface-based remote method calls, intelligent fault tolerance and load balancing, and automatic service registration and discovery.

360CERT recommends users upgrade Apache Dubbo to the latest version and perform asset checks to prevent attacks.

2 Risk Rating

360CERT’s assessment rates the vulnerability as high severity.

3 Vulnerability Details

CVE-2021-43297: Apache Dubbo Code Execution Vulnerability

CVE: CVE-2021-43297

Component: Apache Dubbo

Vulnerability Type: Deserialization

Impact: Remote code execution

Description: Apache Dubbo hessian-lite versions up to 3.2.11 contain a deserialization flaw. Most Dubbo users default to the Hessian2 protocol; when Hessian encounters an exception it may log user information, potentially allowing remote command execution.

4 Affected Versions

5 Mitigation Recommendations

General Patch Advice

Based on the affected versions information, identify and upgrade to the secure version. Download links: https://github.com/apache/dubbo/releases

6 Timeline

2022-01-09 Apache official advisory released

2022-01-14 360CERT advisory published

7 References

https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww