On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability level is important.
Apache Dubbo is a high-performance, lightweight, java based RPC framework. Dubbo offers three key functionalities, which include interface based remote call, fault tolerance & load balancing, and automatic service registration & discovery.
When the user selects the http protocol for communication, Apache Dubbo will perform a deserialization operation when accepting a POST request from a remote call from the consumer. Since there is no security check, it can cause deserialization to execute arbitrary code.
Notice that this vulnerability only affects users who enable http protocol provided by Dubbo:
<dubbo:protocol name=“http” />
- Dubbo 2.7.0 to 2.7.4
- Dubbo 2.6.0 to 2.6.7
- Dubbo all 2.5.x versions (unsupported any longer)
- Disable http protocol
- Upgrade to in 2.7.5 or higher version
The post CVE-2019-17564: Apache Dubbo Deserialization Vulnerability Alert appeared first on InfoTech News.