Recently, Apache Dubbo announced a remote code execution vulnerability (CVE-2020-1948). “An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.”
Apache Dubbo is a high-performance, lightweight, java based RPC framework. Dubbo offers three key functionalities, which include interface based remote call, fault tolerance & load balancing, and automatic service registration & discovery.
- 2.7.0 <= Dubbo Version <= 2.7.6
- 2.6.0 <= Dubbo Version <= 2.6.7
- All Dubbo versions 2.5.x
- Dubbo Version >= 2.7.7
Apache Dubbo has released a new version to fix the vulnerability, and the affected users are requested to upgrade as soon as possible for protection.