Miggo Logo

CVE-2021-30179: Deserialization of Untrusted Data in Apache Dubbo

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.87242%
Published
3/18/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.dubbo:dubbomaven>= 2.5.0, < 2.7.102.7.10
com.alibaba:dubbomaven>= 2.5.0, < 2.6.92.6.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the generic invocation handling chain: 1) GenericService.$invoke accepts attacker-controlled method parameters, 2) GenericFilter.invoke processes these parameters using reflection and deserializes arguments via the unsafe nativejava pathway when triggered by RPC attachments. These functions appear in stack traces when malicious payloads are deserialized during exploitation. The lack of validation() for allowed deserialization types in vulnerable versions makes these functions the critical points of exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *u**o prior to *.*.* *n* *.*.** *y ****ult supports **n*ri* **lls to *r*itr*ry m*t*o*s *xpos** *y provi**r int*r****s. T**s* invo**tions *r* **n*l** *y t** **n*ri**ilt*r w*i** will *in* t** s*rvi** *n* m*t*o* sp**i*i** in t** *irst *r*um*nts o

Reasoning

T** vuln*r**ility m*ni**sts in t** **n*ri* invo**tion **n*lin* ***in: *) `**n*ri*S*rvi**.$invok*` ****pts *tt**k*r-*ontroll** m*t*o* p*r*m*t*rs, *) `**n*ri**ilt*r.invok*` pro**ss*s t**s* p*r*m*t*rs usin* r**l**tion *n* **s*ri*liz*s *r*um*nts vi* t**