9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-30179

GHSA ID

GHSA-5mc7-m686-p6jg

EPSS Score

0.87242%

CWE

CWE-502

Published

3/18/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-30179

CVE-2021-30179: Deserialization of Untrusted Data in Apache Dubbo

Apache Dubbo prior to 2.6.9 and 2.7.10 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-30179

GHSA ID

GHSA-5mc7-m686-p6jg

EPSS Score

0.87242%

CWE

CWE-502

Published

3/18/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dubbo:dubbo	maven	>= 2.5.0, < 2.7.10	2.7.10
com.alibaba:dubbo	maven	>= 2.5.0, < 2.6.9	2.6.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in the generic invocation handling chain: 1) GenericService.$invoke accepts attacker-controlled method parameters, 2) GenericFilter.invoke processes these parameters using reflection and deserializes arguments via the unsafe nativejava pathway when triggered by RPC attachments. These functions appear in stack traces when malicious payloads are deserialized during exploitation. The lack of validation() for allowed deserialization types in vulnerable versions makes these functions the critical points of exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *u**o prior to *.*.* *n* *.*.** *y ****ult supports **n*ri* **lls to *r*itr*ry m*t*o*s *xpos** *y provi**r int*r****s. T**s* invo**tions *r* **n*l** *y t** **n*ri**ilt*r w*i** will *in* t** s*rvi** *n* m*t*o* sp**i*i** in t** *irst *r*um*nts o

Reasoning

T** vuln*r**ility m*ni**sts in t** **n*ri* invo**tion **n*lin* ***in: *) `**n*ri*S*rvi**.$invok*` ****pts *tt**k*r-*ontroll** m*t*o* p*r*m*t*rs, *) `**n*ri**ilt*r.invok*` pro**ss*s t**s* p*r*m*t*rs usin* r**l**tion *n* **s*ri*liz*s *r*um*nts vi* t**

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-30179: Deserialization of Untrusted Data in Apache Dubbo

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI