I. Overview

Apache Dubbo officially released a deserialization vulnerability (CVE-2019-17564). Apache Dubbo is a high-performance, lightweight, Java based RPC framework. When the user selects the HTTP protocol for communication, Apache Dubbo will perform a deserialization operation when accepting a POST request from a remote call from the consumer. Since there is no security check, it can cause deserialization to execute arbitrary code.

Therefore, we kindly remind Apache Dubbo users to arrange self-check and implement timely security hardening.

Reference links:

https://www.mail-archive.com/dev@dubbo.apache.org/msg06226.html

II. Severity

Severity: Moderate

(Severity: low, moderate, important, and critical)

III. Affected Product

Affected Versions:

Apache Dubbo 2.7.0 to 2.7.4

Apache Dubbo 2.6.0 to 2.6.7

Apache Dubbo all 2.5.x versions

IV. Vulnerability Handling

1. Upgrade: This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest version.

2. Workaround: Disable the HTTP protocol in Dubbo to temporarily prevent the vulnerability. HUAWEI CLOUD WAF can defend against attacks exploiting this vulnerability. If you are a user of the HUAWEI CLOUD WAF service, set the basic web protection status to Block. For details, see Enabling Basic Web Protection.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.