Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-43297 PoC — Dubbo Hessian cause RCE when parse error

Source
https://github.com/longofo/Apache-Dubbo-Hessian2-CVE-2021-43297
Associated Vulnerability
Title:Dubbo Hessian cause RCE when parse error (CVE-2021-43297)
Description:A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
Description
Apache Dubbo Hessian2 CVE-2021-43297 demo
Readme
### Apache Dubbo Hessian2异常处理时的反序列化(CVE-2021-43297)

1. 将两个项目分别导入两个idea

2. 先运行org.apache.dubbo.samples.basic.BasicProvider#main启动服务端
3. 再运行org.apache.dubbo.samples.basic.BasicConsumer#main启动客户攻击端

效果:

![](images/1.png)


https://paper.seebug.org/1814/
File Snapshot

 [4.0K]  /data/pocs/beb6fa2ec274b54706032e0a34dd26b9ddaa47ca
├── [4.0K]  dubbo-client
│   ├── [  80]  dubbotest.iml
│   ├── [7.5K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   ├── [4.0K]  com
│           │   │   └── [4.0K]  alibaba
│           │   │       └── [4.0K]  com
│           │   │           └── [4.0K]  caucho
│           │   │               └── [4.0K]  hessian
│           │   │                   └── [4.0K]  io
│           │   │                       ├── [ 29K]  Hessian2Output.java
│           │   │                       └── [ 22K]  SerializerFactory.java
│           │   └── [4.0K]  org
│           │       └── [4.0K]  apache
│           │           └── [4.0K]  dubbo
│           │               ├── [4.0K]  registry
│           │               │   └── [4.0K]  zookeeper
│           │               │       └── [ 14K]  ZookeeperRegistry.java
│           │               ├── [4.0K]  rpc
│           │               │   └── [4.0K]  protocol
│           │               │       └── [4.0K]  dubbo
│           │               │           └── [8.0K]  DubboCodec.java
│           │               └── [4.0K]  samples
│           │                   └── [4.0K]  basic
│           │                       ├── [4.0K]  api
│           │                       │   └── [ 931]  DemoService1.java
│           │                       ├── [1.5K]  BasicConsumer.java
│           │                       ├── [7.4K]  EmbeddedZooKeeper.java
│           │                       ├── [2.6K]  Reflections.java
│           │                       └── [1.4K]  Test.java
│           └── [4.0K]  resources
│               ├── [1.1K]  log4j.properties
│               └── [4.0K]  spring
│                   └── [1.7K]  dubbo-demo-consumer.xml
├── [4.0K]  dubbo-server
│   ├── [ 964]  case-configuration.yml
│   ├── [ 923]  case-versions.conf
│   ├── [7.2K]  pom.xml
│   └── [4.0K]  src
│       ├── [4.0K]  main
│       │   ├── [4.0K]  java
│       │   │   ├── [4.0K]  org
│       │   │   │   └── [4.0K]  apache
│       │   │   │       └── [4.0K]  dubbo
│       │   │   │           └── [4.0K]  samples
│       │   │   │               └── [4.0K]  basic
│       │   │   │                   ├── [4.0K]  api
│       │   │   │                   │   └── [ 969]  DemoService.java
│       │   │   │                   ├── [1.4K]  BasicProvider.java
│       │   │   │                   ├── [7.4K]  EmbeddedZooKeeper.java
│       │   │   │                   ├── [4.0K]  impl
│       │   │   │                   │   └── [1.5K]  DemoServiceImpl.java
│       │   │   │                   └── [ 461]  Test.java
│       │   │   └── [1.0K]  Test.java
│       │   └── [4.0K]  resources
│       │       ├── [1.1K]  log4j.properties
│       │       └── [4.0K]  spring
│       │           └── [1.8K]  dubbo-demo-provider.xml
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  org
│                   └── [4.0K]  apache
│                       └── [4.0K]  dubbo
│                           └── [4.0K]  samples
│                               └── [4.0K]  basic
│                                   └── [1.6K]  DemoServiceIT.java
├── [4.0K]  images
│   └── [434K]  1.png
└── [ 342]  README.md

44 directories, 27 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →