CVE-2019-17564: Apache Dubbo Deserialization Vulnerability Alert

On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability level is important.

Apache Dubbo is a high-performance, lightweight, java based RPC framework. Dubbo offers three key functionalities, which include interface based remote call, fault tolerance & load balancing, and automatic service registration & discovery.

Vulnerability details

When the user selects the http protocol for communication, Apache Dubbo will perform a deserialization operation when accepting a POST request from a remote call from the consumer. Since there is no security check, it can cause deserialization to execute arbitrary code.

Notice that this vulnerability only affects users who enable http protocol  provided by Dubbo:
<dubbo:protocol name=“http” />

Affected Version

  • Dubbo 2.7.0 to 2.7.4
  • Dubbo 2.6.0 to 2.6.7
  • Dubbo all 2.5.x versions (unsupported any longer)

Solution

  • Disable http protocol
  • Upgrade to in 2.7.5 or higher version