CVE-2023-46279 & CVE-2023-29234: Two Vulnerabilities Found in Apache Dubbo

In the intricate world of web and RPC frameworks, Apache Dubbo stands out as a beacon for enterprise-level microservices, renowned for its simplicity, high performance, and a suite of features that ensure seamless service discovery, traffic management, and security. However, even the most fortified bastions have their vulnerabilities. Recently, two significant security breaches have been identified in Apache Dubbo, prompting an urgent call to action for users and administrators.

Tagged with a severity level of ‘important‘, CVE-2023-46279 is a vulnerability that has been described as a bypass deny serialize list check in Apache Dubbo. This flaw allows a bypass of the deny serialize list check, leading to the potential deserialization of untrusted data. Such a loophole could be exploited by malicious entities to compromise the integrity of applications using Apache Dubbo. Alarmingly, this issue singularly affects Apache Dubbo 3.1.5, a version previously believed to be secure.

In response to CVE-2023-46279, Apache Dubbo’s team has released an updated version that plugs this security hole. Users are strongly advised to upgrade to this latest version to fortify their defenses against this vulnerability.

With a severity level marked as ‘moderate‘, CVE-2023-29234 is another flaw in Apache Dubbo. This vulnerability is rooted in the framework’s handling of serialized data. Specifically, it lies in the deserialization process when decoding a malicious package. The breadth of this issue is wider, affecting versions from 3.1.0 through 3.1.10 and from 3.2.0 through 3.2.4. The potential exploitation of this vulnerability could lead to unauthorized access and manipulation of data, a nightmare scenario for any enterprise relying on Apache Dubbo.

To combat CVE-2023-29234, the developers behind Apache Dubbo have again stepped up, providing an updated version that addresses and rectifies this vulnerability.