Apache Dubbo is a high-performance, lightweight, java based RPC framework. Dubbo offers three key functionalities, which include interface based remote call, fault tolerance & load balancing, and automatic service registration & discovery.
When the user selects the http protocol for communication, Apache Dubbo will perform a deserialization operation when accepting a POST request from a remote call from the consumer. Since there is no security check, it can cause deserialization to execute arbitrary code.
Notice that this vulnerability only affects users who enable http protocol provided by Dubbo:
<dubbo:protocol name=“http” />
- Dubbo 2.7.0 to 2.7.4
- Dubbo 2.6.0 to 2.6.7
- Dubbo all 2.5.x versions (unsupported any longer)
- Disable http protocol
- Upgrade to in 2.7.5 or higher version