CVE-2020-1948: Apache Dubbo Remote Code Execution Vulnerability Alert
Recently, Apache Dubbo announced a remote code execution vulnerability (CVE-2020-1948). “An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.”
Apache Dubbo is a high-performance, lightweight, java based RPC framework. Dubbo offers three key functionalities, which include interface based remote call, fault tolerance & load balancing, and automatic service registration & discovery.
Affected version
- 2.7.0 <= Dubbo Version <= 2.7.6
- 2.6.0 <= Dubbo Version <= 2.6.7
- All Dubbo versions 2.5.x
Unaffected version
- Dubbo Version >= 2.7.7
Solution
Apache Dubbo has released a new version to fix the vulnerability, and the affected users are requested to upgrade as soon as possible for protection.