¡¾Îó²îͨ¸æ¡¿Apache DubboÔ¶³Ì´úÂëÖ´ÐÐÎó²î (CVE-2021-36162)
Ðû²¼Ê±¼ä 2021-08-310x00 Îó²î¸ÅÊö
CVE ID | CVE-2021-36162 | ʱ ¼ä | 2021-08-30 |
Àà ÐÍ | RCE | µÈ ¼¶ | ¸ßΣ |
Ô¶³ÌʹÓà | ÊÇ | Ó°Ïì¹æÄ£ | |
¹¥»÷ÖØÆ¯ºó | ¿ÉÓÃÐÔ | ||
Óû§½»»¥ | ËùÐèȨÏÞ | ||
PoC/EXP | ÒѹûÕæ | ÔÚҰʹÓà |
0x01 Îó²îÏêÇé
Apache DubboÊÇÒ»¿îÓ¦ÓÃÆÕ±éµÄJava RPCÂþÑÜʽЧÀÍ¿ò¼Ü¡£¡£¡£¡£¡£¡£¡£
2021Äê8ÔÂ30ÈÕ£¬£¬£¬£¬£¬£¬£¬Github SecurityLab¹ûÕæÅû¶ÁËApache DubboÖеĶà¸ö¸ßΣÎó²î£¨CVE-2021-36162ºÍCVE-2021-36163£©£¬£¬£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔʹÓÃÕâЩÎó²îÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£¡£¡£
Apache Dubbo YAML ·´ÐòÁл¯Îó²î£¨CVE-2021-36162£©
Apache DubboÖб£´æYAML ·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬£¬£¬¿ÉÒÔ»á¼ûÉèÖÃÖÐÐĵĹ¥»÷Õß¿ÉÒÔʹÓôËÎó²îÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£¡£¡£
Apache DubboÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2021-36163£©
Apache DubboʹÓÃÁ˲»Çå¾²µÄHessian ÐÒ飨¿ÉÑ¡£¡£¡£¡£¡£¡£¡£©£¬£¬£¬£¬£¬£¬£¬µ¼Ö²»Çå¾²µÄ·´ÐòÁл¯£¬£¬£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔʹÓôËÎó²îÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£¡£¡£
±ðµÄ£¬£¬£¬£¬£¬£¬£¬SecurityLab»¹¹ûÕæÁËApache DubboÖеÄÁíÒ»¸öRCEÎó²î£¨GHSL-2021-096£¬£¬£¬£¬£¬£¬£¬¾Ü¾øÐÞ¸´£©£¬£¬£¬£¬£¬£¬£¬ÓÉÓÚApache DubboʹÓÃÁ˲»Çå¾²µÄ RMI ÐÒ飬£¬£¬£¬£¬£¬£¬µ¼Ö²»Çå¾²µÄ·´ÐòÁл¯£¬£¬£¬£¬£¬£¬£¬¹¥»÷ÕßÄܹ»·¢ËÍí§ÒâÀàÐ͵IJÎÊý²¢Ô¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£¡£¡£
Ó°Ïì¹æÄ£
Apache Dubbo v2.7.10
0x02 ´¦Öóͷ£½¨Òé
ÏÖÔÚCVE-2021-36162ºÍCVE-2021-36163ÒѾÐÞ¸´£¬£¬£¬£¬£¬£¬£¬½¨ÒéʵʱӦÓÃÇå¾²²¹¶¡¡£¡£¡£¡£¡£¡£¡£µ«GHSL-2021-096ÎÊÌâ¾Ü¾øÐÞ¸´£¬£¬£¬£¬£¬£¬£¬½¨ÒéÓû§ÆôÓà JEP 290»úÖÆ¡£¡£¡£¡£¡£¡£¡£
CVE-2021-36162²¹¶¡Á´½Ó£º
https://github.com/apache/dubbo/pull/8350
CVE-2021-36163²¹¶¡Á´½Ó£º
https://github.com/apache/dubbo/pull/8238
0x03 ²Î¿¼Á´½Ó
https://securitylab.github.com/advisories/GHSL-2021-094-096-apache-dubbo/
https://dubbo.apache.org/en/downloads/
http://openjdk.java.net/jeps/290
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36162
0x04 ¸üа汾
°æ±¾ | ÈÕÆÚ | ÐÞ¸ÄÄÚÈÝ |
V1.0 | 2021-08-31 | Ê×´ÎÐû²¼ |
0x05 Îĵµ¸½Â¼
CNVD£ºwww.cnvd.org.cn
CNNVD£ºwww.cnnvd.org.cn
CVE£ºcve.mitre.org
NVD£ºnvd.nist.gov
CVSS£ºwww.first.org
0x06 ¹ØÓÚ¼øºÚµ£±£Íø
¹Ø×¢ÒÔϹ«Öںţ¬£¬£¬£¬£¬£¬£¬»ñÈ¡¸ü¶à×ÊѶ£º