In microservices architectures, serialization mechanisms act as the circulatory system for inter-service communication. As one of China's most widely adopted RPC frameworks, Dubbo's serialization security directly impacts the resilience of distributed systems. Historical security incidents show that deserialization vulnerabilities consistently rank among the top three Java application vulnerabilities, with Dubbo-related issues frequently appearing in enterprise red team reports.

The core challenge lies in balancing efficiency and security. Hessian2, Dubbo's default protocol, offers cross-language compatibility and performance but lacks inherent security considerations. Attackers can exploit this by crafting malicious serialized data to trigger unintended object construction during deserialization, ultimately leading to remote code execution (RCE).

Typical attack patterns include:

1. Attackers inject malicious serialized data through forged client requests
2. Server-side deserialization triggers unexpected class loading
3. Reflection chains execute dangerous methods (e.g., Runtime.exec)
4. Server control is compromised

Security Alert: CVE-2021-43297 exploits Dubbo's Hessian2 exception handling mechanism, allowing malicious code execution even when deserialization fails. This affects Dubbo versions 2.7.0 to 2.7.12.

Vulnerability Analysis: Case Study of CVE-2021-43297

2.1 Hessian2 Protocol Security Flaws

Hessian2's exception handling mechanism contains a critical weakness - when encountering malformed data, it attempts to call the toString() method for error reporting. Attackers can exploit this by constructing special data packets:

// Pseudocode demonstrating the vulnerability
public String deserializeString() throws IOException {
    switch(dataTag) {
        case 'C':  // Intentionally trigger exception branch
            throw this.expect("string", dataTag);
        default:
            return obj.toString();  // Dangerous operation!
    }
}

This design allows attackers to control program flow even when deserialization faills. In practice, attackers inject specially crafted objects whose toString() methods may contain malicious logic.

2.2 Attack Chain Analysis

A complete attack chain typically includes:

1. Entry Point: Dubbo's ProtocolFilterWrapper processes incoming requests
2. Deserialization Trigger: Hessian2Input reads malicious data
3. Exception Handling Vulnerability: Incorrect tag values trigger exception branches
4. Malicious Code Execution: Inject attack code through overridden toString() methods

Component	Risk Level	Affected Versions	Mitigation Measures
Hessian2Input	High Risk	<2.7.13	Apply patch updates
SerializerFactory	Medium Risk	All versions	Enable whitelist
RpcInvocation	High Risk	<3.0.0	Implement parameter validation

Comprehensive Defense Strategy Construction

3.1 Basic Protection Configuration

Enabling security configurations is the first line of defense:

<!-- dubbo-provider.xml -->
<dubbo:provider serialization="hessian2">
    <dubbo:parameter key="serialization.security.check" value="true"/>
    <dubbo:parameter key="serialization.whitelist.enable" value="true"/>
</dubbo:provider>

Key parameter explanations:

• serialization.security.check: Enable basic security checks
• serialization.whitelist.enable: Enable class whitelisting
• dubbo.application.owner: Set responsible person for emergency response

3.2 Class Whitelist Best Practices

Dubbo 3.x introduced a tiered whitelist mechanism. Recommended configuration strategies:

1. Strict Mode Configuration:

# application.properties
dubbo.security.serialization.check=STRICT
dubbo.security.serialization.allowlist=/path/to/serialize.allowlist

3. Whitelist File Example:

# serialize.allowlist
com.example.dto.*
java.util.HashMap
java.lang.String

5. Dynamic Update Technique:

// Runtime refresh of whitelist
SerializationSecurityManager manager = ApplicationModel.getDefaultModel()
    .getBeanFactory().getBean(SerializationSecurityManager.class);
manager.reloadAllowList();

3.3 Network Layer Hardening

Building layered defense with network protection devices:

1. WAF Rule Example (Nginx implementation):

location /dubbo {
    # Intercept abnormal content-type
    if ($content_type !~* "application/x-hessian") {
        return 403;
    }
    
    # Limit POST body size
    client_max_body_size 1m;
    
    # Key field regex filtering
    set $block 0;
    if ($request_body ~* "java\.lang\.Runtime") {
        set $block 1;
    }
    if ($block = 1) {
        return 403;
    }
}

3. Enterprise-level Protection Architecture:

Client → Edge Firewall → Load Balancer (WAF) → Dubbo Service Cluster
                      ↓
                  Audit Logging System

Advanced Monitoring and Incident Response

4.1 Anomaly Behavior Monitoring

Building a real-time monitoring system based on logs:

# Logstash filter rules
filter {
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}.*Serialization check failed.*class=%{DATA:malicious_class}" }
    }
    if [malicious_class] {
        mutate { add_tag => ["serialization_attack"] }
    }
}

Key monitoring metrics:

• Deserialization failure frequency
• Attempts to load classes outside the whitelist
• Abnormal stack traces containing dangerous class names (e.g., ProcessBuilder)

4.2 Vulnerability Fix Checklist

When security alerts occur, immediately execute:

1. Version Upgrade Process:

Current Version → Verify Compatibility → Deploy in Test Environment → Gray Release → Full Deployment

3. Emergency Mitigation Measures:

• Temporarily enable IP whitelisting
• Downgrade to JSON or other secure protocols
• Disable generic invocation interfaces

38. Post-incident Audit Focus:

• Analyze malicious payload characteristics
• Check for suspicious processes on servers
• Review abnormal network connections

Future Protecsion Trends and Architectural Considerations

New-generation serialization solutions show three key trends:

1. Protocol Innovation: Triple protocol with built-in Protobuf serialization supports:

• Strong type checking
• Binary-safe encoding
• Forward-compatible field design

44. Hardware-level Protection: Intel SGX and other trusted execution environment technologies enable:

• Memory data encryption
• Secure enclave isolation
• Remote proof mechanisms

46. Zero Trust Architecture:

graph TD
A[Client] -->|mTLS+JWT| B(Control Plane)
B -->|Dynamic Credentials| C(Data Plane)
C -->|Audit Logs| D(Security Analysis)

In practical projects, we successfully blocked attacks by combining:

• Injecting security agents in K8s Sidecars
• Using SPI extensions for custom serialization validation
• Deploying RASP protection for critical services