Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)

Vulnerability

Apache Dubbo versions prior to 2.7.9 support Tag routing, a feature that enables customers to define YAML rules to route requests to appropriate servers. The vulnerability resides in the parsing of these YAML rules. Due to insufficient input validation, an attacker can craft malicious YAML content that causes the application to invoke arbitrary constructors during deserialization [1]. This allows the instantiation of classes with attacker-controlled parameters.

Exploitation

To exploit this vulnerability, an attacker must have the ability to provide or modify the YAML tag routing rules used by a Dubbo customer. This may require network access to the configuration management system or the ability to inject malicious rules through a compromised provider or consumer. The attacker crafts a YAML rule that specifies a class constructor target, which is then invoked during parsing. No authentication is required if the attacker can control the rule input directly.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the Dubbo server. By invoking arbitrary constructors, the attacker can instantiate classes and potentially execute commands or gain full remote code execution (RCE) depending on the available classes and environment. This compromises the confidentiality, integrity, and availability of the affected system.

Mitigation

Apache Dubbo fixed this vulnerability in version 2.7.9. Users should upgrade to Apache Dubbo 2.7.9 or later [1]. There is no known workaround if the system cannot be upgraded. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.