Service Notices
Apache Dubbo Hessian2 Remote Code Execution Vulnerability (CVE-2020-11995)
Aug 19, 2020 GMT+08:00
I. Overview
Apache Dubbo has recently disclosed that the default deserialization protocol Hessian2 can cause remote code execution vulnerability (CVE-2020-11995). During the deserialization of the HashMap object by Hessian2, some functions in the classes stored in HasMap will be executed after a series of program calls. Attackers can exploit this vulnerability to trigger remote code execution.
If you are an Apache Dubbo user, check your system and implement timely security hardening.
Reference link:
https://www.mail-archive.com/dev@dubbo.apache.org/msg06676.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Dubbo 2.7.0 to 2.7.2
Apache Dubbo 2.6.0 to 2.6.8
Apache Dubbo all 2.5.x versions (not supported by official team any longer)
Secure versions:
Apache Dubbo 2.7.8
Apache Dubbo 2.6.9
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official versions. If your version falls into the affected range, upgrade it to a secure version.
Download address of Apache Dubbo 2.7.8: https://github.com/apache/dubbo/releases/tag/dubbo-2.7.8
Download address of Apache Dubbo 2.6.9: https://github.com/apache/dubbo/releases/tag/dubbo-2.6.9
Workarounds:
If an upgrade is not available for you now, set the whitelist in Hessian2 3.2.9 by referring to the workarounds provided on the official website to mitigate security risks.
Reference link: https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.9
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.