Apache Dubbo Hessian Deserialization Vulnerability (CVE-2022-39198)

Oct 24, 2022 GMT+08:00

I. Overview

Recently, it has been disclosed that Apache Dubbo Hessian-lite 3.2.12 and earlier versions have a deserialization vulnerability (CVE-2022-39198). Unauthorized attackers can construct malicious requests to execute arbitrary code on the target system.

Apache Dubbo is a microservice development framework. If you are an Apache Dubbo user, check your system and implement timely security hardening.

References:

https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Dubbo 2.7.x <= 2.7.17

Apache Dubbo 3.0.x <= 3.0.11

Apache Dubbo 3.1.x <= 3.1.0

Secure versions:

Apache Dubbo 2.7.x >= 2.7.18

Apache Dubbo 3.0.x >= 3.0.12

Apache Dubbo 3.1.x >= 3.1.1

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://github.com/apache/dubbo/tags

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.