CVE-2021-30179

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.6.9 and 2.7.9

Description The issue allows for generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter, which uses the Java Reflection API to make the final call. The invoke or invokeAsync methods have a signature that includes the method name, parameter types, and actual call arguments. An attacker can control the RPC attachment, setting it to nativejava to force Java deserialization of a byte array, potentially leading to exploitation.

Recommendations For Apache Dubbo versions prior to 2.6.9, update to version 2.6.9 or later. For Apache Dubbo versions prior to 2.7.9, update to version 2.7.9 or later. As a temporary workaround, consider restricting the RPC attachment values to prevent setting it to nativejava until a patch is available.