Remote Code Execution Caused by the Default Deserialization of Apache Dubbo Provider (CVE-2020-1948)
Jun 28, 2020 GMT+08:00
Apache Dubbo has recently disclosed a deserialization remote code execution vulnerability (CVE-2020-1948) in Provider. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.
If you are an Apache Dubbo user, check your system and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Apache Dubbo 2.7.0 to 2.7.6
Apache Dubbo 2.6.0 to 2.6.7
Apache Dubbo all 2.5.x versions (not supported by official team any longer)
Apache Dubbo 2.7.7 and later
IV. Vulnerability Handling
This vulnerability has been fixed in the newly released official version. If your service version falls into the affected range, upgrade it to the secure version.
Download the latest version at: https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.