CVE-2021-25641 - Vulnerability Details - OpenCVE

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.74804.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-v2rg-8cwr-75g8	Deserializer tampering in Apache Dubbo

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-05-29T07:30:12

Updated: 2024-08-03T20:11:27.972Z

Reserved: 2021-01-20T00:00:00

Link: CVE-2021-25641

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-06-01T14:15:09.737

Modified: 2024-11-21T05:55:11.660

Link: CVE-2021-25641

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.7.8", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "custom"}, {"lessThan": "2.6.9", "status": "affected", "version": "Apache Dubbo 2.6.x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution by tempering the serialization id on server side.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-29T07:30:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Dubbo Zookeeper does not check serialization id", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Serialization being tampered by attackers", "ASSIGNER": "security@apache.org", "ID": "CVE-2021-25641", "STATE": "PUBLIC", "TITLE": "Dubbo Zookeeper does not check serialization id"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Dubbo", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Dubbo 2.7.x", "version_value": "2.7.8"}, {"version_affected": "<", "version_name": "Apache Dubbo 2.6.x", "version_value": "2.6.9"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution by tempering the serialization id on server side."}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:27.972Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-25641", "datePublished": "2021-05-29T07:30:12", "dateReserved": "2021-01-20T00:00:00", "dateUpdated": "2024-08-03T20:11:27.972Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "35FDD1BF-2F98-47A3-810B-244ADABF883D", "versionEndExcluding": "2.6.9", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "A18E0E5C-4E03-4F13-A368-A63B8118AACF", "versionEndExcluding": "2.7.8", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it."}, {"lang": "es", "value": "Cada servidor Apache Dubbo ajusta una identificaci\u00f3n de serializaci\u00f3n para indicar a los clientes en qu\u00e9 protocolo de serializaci\u00f3n est\u00e1 trabajando. Pero para Dubbo versiones anteriores a la 2.7.8 o 2.6.9, un atacante puede elegir qu\u00e9 ID de serializaci\u00f3n usar\u00e1 el Proveedor alterando los flags de pre\u00e1mbulo de bytes, es decir, sin seguir las instrucciones del servidor. Esto significa que si un deserializador d\u00e9bil como Kryo y FST est\u00e1n de alguna manera en el alcance del c\u00f3digo (por ejemplo, si Kryo es de alguna manera parte de una dependencia), un atacante remoto no autenticado puede decirle al Proveedor que use el deserializador d\u00e9bil y luego proceder a explotarlo"}], "id": "CVE-2021-25641", "lastModified": "2024-11-21T05:55:11.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-01T14:15:09.737", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}