CVE-2021-43297 - OpenCVE

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

References

Link	Resource
https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-01-10T15:25:48

Updated: 2022-01-10T15:25:48

Reserved: 2021-11-03T00:00:00

Link: CVE-2021-43297

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-10T16:15:09.527

Modified: 2022-01-18T20:10:31.693

Link: CVE-2021-43297

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.6.12", "status": "affected", "version": "Apache Dubbo 2.6.x", "versionType": "custom"}, {"lessThan": "2.7.15", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "custom"}, {"lessThan": "3.0.5", "status": "affected", "version": "Apache Dubbo 3.0.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx"}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}], "metrics": [{"other": {"content": {"other": "high"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-10T15:25:48", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}], "source": {"discovery": "UNKNOWN"}, "title": "Dubbo Hessian cause RCE when parse error", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-43297", "STATE": "PUBLIC", "TITLE": "Dubbo Hessian cause RCE when parse error"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Dubbo", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Dubbo 2.6.x", "version_value": "2.6.12"}, {"version_affected": "<", "version_name": "Apache Dubbo 2.7.x", "version_value": "2.7.15"}, {"version_affected": "<", "version_name": "Apache Dubbo 3.0.x", "version_value": "3.0.5"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "high"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww", "refsource": "MISC", "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-43297", "datePublished": "2022-01-10T15:25:48", "dateReserved": "2021-11-03T00:00:00", "dateUpdated": "2022-01-10T15:25:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C18088F-7CD5-4E22-9749-F4B703347A68", "versionEndExcluding": "2.6.12", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2FBCC30-3E2F-4826-9E57-D01F158B4184", "versionEndExcluding": "2.7.15", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCE9F3A7-DA3B-40DA-B048-68D52395DE2B", "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de deserializaci\u00f3n en Dubbo Hessian-lite versiones 3.2.11 y sus versiones anteriores, que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo malicioso. La mayor\u00eda de usuarios de Dubbo usan Hessian2 como el protocolo de serializaci\u00f3n/deserializaci\u00f3n por defecto, durante la captura de excepciones no esperadas de Hessian, Hessian sacar\u00e1 alguna informaci\u00f3n para usuarios, lo que puede causar una ejecuci\u00f3n de comandos remotos. Este problema afecta a Apache Dubbo versiones 2.6.x anteriores a 2.6.12; Apache Dubbo versiones 2.7.x anteriores a 2.7.15; Apache Dubbo versiones 3.0.x anteriores a 3.0.5"}], "id": "CVE-2021-43297", "lastModified": "2022-01-18T20:10:31.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T16:15:09.527", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}