Apache Dubbo is a lightweight Java-based RPC (remote procedure call) framework from the Apache Foundation. The product provides interface-based remote calling, fault tolerance and load balancing, and automatic service registration and discovery.Apache Dubbo suffers from a code issue vulnerability that stems from vulnerability to pre-authorized remote code execution attacks via arbitrary bean operations in Telnet handlers, which can be exploited by attackers to achieve remote code execution.
{"id": "CNVD-2023-25935", "vendorId": null, "type": "cnvd", "bulletinFamily": "cnvd", "title": "Apache Dubbo code issue vulnerability (CNVD-2023-25935)", "description": "Apache Dubbo is a lightweight Java-based RPC (remote procedure call) framework from the Apache Foundation. The product provides interface-based remote calling, fault tolerance and load balancing, and automatic service registration and discovery.Apache Dubbo suffers from a code issue vulnerability that stems from vulnerability to pre-authorized remote code execution attacks via arbitrary bean operations in Telnet handlers, which can be exploited by attackers to achieve remote code execution.", "published": "2023-01-06T00:00:00", "modified": "2023-04-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-25935", "reporter": "China National Vulnerability Database", "references": [], "cvelist": ["CVE-2021-32824"], "immutableFields": [], "lastseen": "2023-04-11T11:25:06", "viewCount": 3, "enchantments": {"epss": [{"cve": "CVE-2021-32824", "epss": 0.00243, "percentile": 0.60604, "modified": "2023-04-10"}], "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-32824"]}, {"type": "github", "idList": ["GHSA-FPRR-RRM8-4534"]}, {"type": "osv", "idList": ["OSV:GHSA-FPRR-RRM8-4534"]}, {"type": "veracode", "idList": ["VERACODE:38798"]}]}, "score": {"value": 9.7, "vector": "NONE"}, "vulnersScore": 9.7}, "_state": {"epss": 1681212098, "dependencies": 1681212421, "score": 1684018209}, "_internal": {"score_hash": "83b2a4e45a510e74060a8ddd0665c172"}, "vendorCVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "affectedSoftware": [{"version": "2.6.10", "operator": "lt", "name": "apache apache dubbo"}, {"version": "2.7.10", "operator": "lt", "name": "apache dubbo >=2.7.0\uff0c"}]}
{"osv": [{"lastseen": "2023-04-11T01:46:17", "description": "Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. \n\nAdditionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. \n\nVersions 2.6.10 and 2.7.10 contain fixes for this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-03T18:30:25", "type": "osv", "title": "Apache Dubbo vulnerable to remote code execution via Telnet Handler", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-32824"], "modified": "2023-04-11T01:46:15", "id": "OSV:GHSA-FPRR-RRM8-4534", "href": "https://osv.dev/vulnerability/GHSA-fprr-rrm8-4534", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2023-05-27T15:14:35", "description": "Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. \n\nAdditionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. \n\nVersions 2.6.10 and 2.7.10 contain fixes for this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-03T18:30:25", "type": "github", "title": "Apache Dubbo vulnerable to remote code execution via Telnet Handler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32824"], "modified": "2023-01-29T05:01:18", "id": "GHSA-FPRR-RRM8-4534", "href": "https://github.com/advisories/GHSA-fprr-rrm8-4534", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-27T14:45:11", "description": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-03T18:15:00", "type": "cve", "title": "CVE-2021-32824", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32824"], "modified": "2023-01-10T13:57:00", "cpe": [], "id": "CVE-2021-32824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32824", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "veracode": [{"lastseen": "2023-05-27T19:48:38", "description": "dubbo-cluster is vulnerable to remote code execution. The vulnerability exists in the `doInvoke` function of `BroadcastClusterInvoker.java` as it does not properly handle FastJson when invoking the `invoke` handler and later processes in `PojoUtils.realize`, allowing an attacker to instantiate arbitrary classes and invoke its setters by injecting and executing malicious code through the `Telnet handler`\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-08T12:52:53", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32824"], "modified": "2023-01-10T15:37:38", "id": "VERACODE:38798", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-38798/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
Apache Dubbo code issue vulnerability (CNVD-2023-25935)
