I. Overview

Apache Dubbo has recently disclosed a deserialization remote code execution vulnerability (CVE-2020-1948) in Provider. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.

If you are an Apache Dubbo user, check your system and implement timely security hardening.

Reference link:

https://www.mail-archive.com/dev@dubbo.apache.org/msg06544.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Apache Dubbo 2.7.0 to 2.7.6

Apache Dubbo 2.6.0 to 2.6.7

Apache Dubbo all 2.5.x versions (not supported by official team any longer)

Secure Versions:

Apache Dubbo 2.7.7 and later

IV. Vulnerability Handling

This vulnerability has been fixed in the newly released official version. If your service version falls into the affected range, upgrade it to the secure version.

Download the latest version at: https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.