Apache Dubbo: All roads lead to RCE

During an audit of Apache Dubbo v2.7.8, multiple vulnerabilities were discovered, allowing for remote code execution by enabling attackers to compromise and run arbitrary system commands. The audit process, detailed in a blog post, utilized CodeQL, a semantic code analysis tool from GitHub, to explore the Dubbo codebase and identify security weaknesses, particularly in deserialization processes. Several past vulnerabilities, such as CVE-2020-11995 and CVE-2020-1948, were noted for unsafe deserialization, and new vulnerabilities were identified, including issues with arbitrary bean manipulation and YAML unmarshalling. CodeQL was leveraged to model and track data flows, revealing vulnerabilities related to the Dubbo protocol's handling of serialized data, which could be exploited to bypass security controls. The blog emphasizes the importance of understanding the application's attack surface, using CodeQL not just for automated scanning but as an exploratory tool to enhance code audits and quickly identify critical security issues.