CVE-2021-43297

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.6.12 Apache Dubbo versions prior to 2.7.15 Apache Dubbo versions prior to 3.0.5 dubbo hessian-lite versions 3.2.11 and earlier

Description A deserialization vulnerability existed in dubbo hessian-lite, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol. During Hessian, catching unexpected exceptions will log out some information for users, which may cause remote command execution.

Recommendations For Apache Dubbo versions prior to 2.6.12, update to version 2.6.12 or later. For Apache Dubbo versions prior to 2.7.15, update to version 2.7.15 or later. For Apache Dubbo versions prior to 3.0.5, update to version 3.0.5 or later. For dubbo hessian-lite versions 3.2.11 and earlier, update to a version later than 3.2.11. As a temporary workaround, consider disabling the Hessian2 protocol until a patch is available.