Service Notices
Apache Dubbo Deserialization Vulnerability (CVE-2019-17564)
Feb 14, 2020 GMT+08:00
I. Overview
Apache Dubbo officially released a deserialization vulnerability (CVE-2019-17564). Apache Dubbo is a high-performance, lightweight, Java based RPC framework. When the user selects the HTTP protocol for communication, Apache Dubbo will perform a deserialization operation when accepting a POST request from a remote call from the consumer. Since there is no security check, it can cause deserialization to execute arbitrary code.
Therefore, we kindly remind Apache Dubbo users to arrange self-check and implement timely security hardening.
Reference links:
https://www.mail-archive.com/dev@dubbo.apache.org/msg06226.html
II. Severity
Severity: Moderate
(Severity: low, moderate, important, and critical)
III. Affected Product
Affected Versions:
Apache Dubbo 2.7.0 to 2.7.4
Apache Dubbo 2.6.0 to 2.6.7
Apache Dubbo all 2.5.x versions
IV. Vulnerability Handling
1. Upgrade: This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest version.
2. Workaround: Disable the HTTP protocol in Dubbo to temporarily prevent the vulnerability. HUAWEI CLOUD WAF can defend against attacks exploiting this vulnerability. If you are a user of the HUAWEI CLOUD WAF service, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.