Opening socket connection to server 127.0.0.1/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error) Socket error occurred: 127.0.0.1/127.0.0.1:2181: Connection refused: no further information
下载一个docker镜像:
1 2
docker pull zookeeper docker run -id--name zookeeper -p 2181:2181 zookeeper
Tue Apr 2520:00:09 CST 2023 Receive result ======> Hello Aluvion1634565036, i am Twings. Tue Apr 2520:00:10 CST 2023 Receive result ======> Hello Aluvion-356148887, i am Twings. Tue Apr 2520:00:11 CST 2023 Receive result ======> Hello Aluvion-2026383264, i am Twings. Tue Apr 2520:00:12 CST 2023 Receive result ======> Hello Aluvion-279126879, i am Twings. Tue Apr 2520:00:13 CST 2023 Receive result ======> Hello Aluvion-9261720, i am Twings. Tue Apr 2520:00:14 CST 2023 Receive result ======> Hello Aluvion1084163910, i am Twings. Tue Apr 2520:00:15 CST 2023 Receive result ======> Hello Aluvion699243408, i am Twings. Tue Apr 2520:00:16 CST 2023 Receive result ======> Hello Aluvion-796289112, i am Twings.
由于客户端是一个反复执行的脚本,因此可以看到服务端的sayHello函数被多次执行了。
CVE-2021-30179
漏洞分析
影响版本:
1 2 3
Apache Dubbo 2.7.0 to 2.7.9 Apache Dubbo 2.6.0 to 2.6.9 Apache Dubbo all2.5.x versions (官方已不再提供支持)
Map<Object, Object> map; // when return type is not the subclass of return type from the signature and not an interface if (!type.isInterface() && !type.isAssignableFrom(pojo.getClass())) { try { map = (Map<Object, Object>) type.getDeclaredConstructor().newInstance(); Map<Object, Object> mapPojo = (Map<Object, Object>) pojo; map.putAll(mapPojo); if (GENERIC_WITH_CLZ) { map.remove("class"); } } catch (Exception e) { //ignore error map = (Map<Object, Object>) pojo; } } else { map = (Map<Object, Object>) pojo; }
Caused by: org.apache.dubbo.remoting.RemotingException: org.apache.dubbo.rpc.RpcException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class com.sun.rowset.JdbcRowSetImpl is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
看来这就是漏洞修复方式。
bean
1 2 3 4 5 6 7
for (inti=0; i < args.length; i++) { if (args[i] instanceof JavaBeanDescriptor) { args[i] = JavaBeanSerializeUtil.deserialize((JavaBeanDescriptor) args[i]); } else { ... } }
Configurationconfiguration= ApplicationModel.ofNullable(applicationModel).getModelEnvironment().getConfiguration(); if (!configuration.getBoolean(CommonConstants.ENABLE_NATIVE_JAVA_GENERIC_SERIALIZE, false)) { Stringnotice="Trigger the safety barrier! " + "Native Java Serializer is not allowed by default." + "This means currently maybe being attacking by others. " + "If you are sure this is a mistake, " + "please set `" + CommonConstants.ENABLE_NATIVE_JAVA_GENERIC_SERIALIZE + "` enable in configuration! " + "Before doing so, please make sure you have configure JEP290 to prevent serialization attack."; logger.error(CONFIG_FILTER_VALIDATION_EXCEPTION, "", "", notice); thrownewRpcException(newIllegalStateException(notice)); }