9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32824

GHSA ID

GHSA-fprr-rrm8-4534

EPSS Score

0.93873%

CWE

CWE-502

Published

1/3/2023

Updated

1/29/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32824

CVE-2021-32824: Apache Dubbo vulnerable to remote code execution via Telnet Handler

Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected.

Additionally, a provider method can be invoked using the invoke handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with PojoUtils.realize which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, PojoUtils.realize is not, and an attacker can leverage that to achieve remote code execution.

Versions 2.6.10 and 2.7.10 contain fixes for this issue.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32824

GHSA ID

GHSA-fprr-rrm8-4534

EPSS Score

0.93873%

CWE

CWE-502

Published

1/3/2023

Updated

1/29/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dubbo:dubbo-parent	maven	< 2.6.10	2.6.10
org.apache.dubbo:dubbo-parent	maven	>= 2.7.0, < 2.7.10	2.7.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from two key points: 1) The Telnet handler's invoke command accepts untrusted input and processes arguments through PojoUtils.realize. 2) PojoUtils.realize lacks the deserialization protections present in FastJson, allowing arbitrary class instantiation. The combination creates an unprotected RCE vector where attackers can manipulate beans through nested object graphs that trigger dangerous setters or constructors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** *u**o is * J*v* **s**, op*n sour** RP* *r*m*work. V*rsions prior to *.*.** *n* *.*.** *r* vuln*r**l* to pr*-*ut*oriz*tion r*mot* *o** *x**ution vi* *r*itr*ry ***n m*nipul*tion in t** T*ln*t **n*l*r. T** *u**o m*in s*rvi** port **n ** us** to *

Reasoning

T** *or* vuln*r**ility st*ms *rom two k*y points: *) T** T*ln*t **n*l*r's invok* *omm*n* ****pts untrust** input *n* pro**ss*s *r*um*nts t*rou** PojoUtils.r**liz*. *) PojoUtils.r**liz* l**ks t** **s*ri*liz*tion prot**tions pr*s*nt in **stJson, *llowi

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-32824: Apache Dubbo vulnerable to remote code execution via Telnet Handler

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI