Apache Dubbo Deserialization Vulnerability (CVE-2019-17564) Threat Alert

Apache Dubbo Deserialization Vulnerability (CVE-2019-17564) Threat Alert

February 25, 2020 | Adeline Zhang

Overview

Recently, researchers from the Chekmarx team discovered and released a deserialization vulnerability (CVE-2019-17564) existing in Apache Dubbo.

Apache Dubbo is a high-performance Java RPC framework. This vulnerability exists in Dubbo application which has the HTTP protocol enabled for communication. An attacker could exploit this vulnerability by submitting a POST request with a Java object, thereby completely compromising a Provider instance of Apache Dubbo.

The Dubbo HTTP instance attempts to deserialize data within the Java ObjectStream, which contains a malicious set of classes. Due to the lack of proper filtering and check, the deserialization could cause malicious code execution.

This vulnerability only affects users who enable the HTTP protocol rather than the default Dubbo protocol.

Reference link:

https://www.mail-archive.com/dev@dubbo.apache.org/msg06225.html

Affected Versions

  • 7.0<=Dubbo Version <=2.7.4
  • 6.0 <= Dubbo Version <= 2.6.7
  • Dubbo 2.5.x (no longer supported)

Unaffected Versions

  • Dubbo Version =2.7.5

Solution

Apache has released Dubbo 2.7.5 to fix the preceding vulnerability. Affected users are advised to upgrade as soon as possible.

To download Dubbo 2.7.5, click the following link:

https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

Founded in April 2000, NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was headquartered in Beijing. With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.

Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.

NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.