CVE-2021-30181: 
Java vulnerability analysis and mitigation

Apache Dubbo prior to versions 2.6.9 and 2.7.9 contains a remote code execution vulnerability (CVE-2021-30181) in its Script routing functionality. The vulnerability allows customers to route requests to specific servers using script rules. When parsing these rules, Dubbo customers use ScriptEngine to execute the provided script, which by default may enable arbitrary code execution (NVD, GitHub Security Lab).

The vulnerability exists in the Script routing feature where Dubbo customers use JRE ScriptEngineManager to load a ScriptEngine and execute routing rules. When parsing these rules, the ScriptEngine runs the provided script with default settings that enable arbitrary Java code execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

An attacker with access to the configuration center (such as Zookeeper or Nacos) can poison a script route rule. When this malicious rule is retrieved by consumers, it enables remote code execution on all affected systems. The attack is particularly severe as many installations have authentication disabled by default or don't support authentication at all (GitHub Security Lab).

The vulnerability was fixed in Apache Dubbo versions 2.6.9 and 2.7.9. Users should upgrade to these or later versions to mitigate the risk. Additionally, it's recommended to enable authentication on configuration centers where possible and ensure they are not exposed to untrusted networks (NVD).