I. Overview

Apache Dubbo has recently disclosed that the default deserialization protocol Hessian2 can cause remote code execution vulnerability (CVE-2020-11995). During the deserialization of the HashMap object by Hessian2, some functions in the classes stored in HasMap will be executed after a series of program calls. Attackers can exploit this vulnerability to trigger remote code execution.

If you are an Apache Dubbo user, check your system and implement timely security hardening.

Reference link:

https://www.mail-archive.com/dev@dubbo.apache.org/msg06676.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Dubbo 2.7.0 to 2.7.2

Apache Dubbo 2.6.0 to 2.6.8

Apache Dubbo all 2.5.x versions (not supported by official team any longer)

Secure versions:

Apache Dubbo 2.7.8

Apache Dubbo 2.6.9

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official versions. If your version falls into the affected range, upgrade it to a secure version.

Download address of Apache Dubbo 2.7.8: https://github.com/apache/dubbo/releases/tag/dubbo-2.7.8

Download address of Apache Dubbo 2.6.9: https://github.com/apache/dubbo/releases/tag/dubbo-2.6.9

Workarounds:

If an upgrade is not available for you now, set the whitelist in Hessian2 3.2.9 by referring to the workarounds provided on the official website to mitigate security risks.

Reference link: https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.9

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.