9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37578

GHSA ID

GHSA-9hx8-2mrv-r674

EPSS Score

0.80759%

CWE

CWE-502

Published

8/9/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-37578

CVE-2021-37578: Deserialization of Untrusted Data in Apache jUDDI

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services.

RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.

For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37578

GHSA ID

GHSA-9hx8-2mrv-r674

EPSS Score

0.80759%

CWE

CWE-502

Published

8/9/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.juddi:juddi-core	maven	< 3.3.10	3.3.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from RMI-related classes that used Java's default serialization without validation. The commit d880ffe removes all RMI transport and service implementations, including JNDIRegistration, RMIRegistration, and various RMI service classes. These functions were vulnerable because they exposed RMI endpoints that deserialized untrusted data. The removal in 3.3.10 confirms these were the attack vectors. High confidence is justified as the patch explicitly removes these RMI components to address the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** jU**I us*s s*v*r*l *l*ss*s r*l*t** to J*v*'s R*mot* M*t*o* Invo**tion (RMI) w*i** (*s *n *xt*nsion to U**I) provi**s *n *lt*rn*t* tr*nsport *or ****ssin* U**I s*rvi**s. RMI us*s t** ****ult J*v* s*ri*liz*tion m****nism to p*ss p*r*m*t*rs in R

Reasoning

T** vuln*r**ility st*ms *rom RMI-r*l*t** *l*ss*s t**t us** J*v*'s ****ult s*ri*liz*tion wit*out v*li**tion. T** *ommit ******* r*mov*s *ll RMI tr*nsport *n* s*rvi** impl*m*nt*tions, in*lu*in* JN*IR**istr*tion, RMIR**istr*tion, *n* v*rious RMI s*rvi**

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-37578: Deserialization of Untrusted Data in Apache jUDDI

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI