Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Patch Bypass Threat Alert

Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Patch Bypass Threat Alert

July 6, 2020 | Mina Hao

Overview

On June 23, NSFOCUS reported that Apache Dubbo contained a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.

Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in Hessian, a default deserialization tool used by Apache Dubbo. An attacker may exploit it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the vulnerability is triggered, allowing the attackers to remotely execute code.

The vendor released Version 2.7.7 to fix the vulnerability, but to no avail. It turns out that the patch can be bypassed, leaving the framework still vulnerable. At present, the vendor has not released any new patch against this 0-day vulnerability.

Affected Version

Dubbo Version <= 2.7.7

Unaffected Versions

Unavailable

Solution

       The vendor has not released the latest version. Users should stay tuned.

https://github.com/apache/dubbo/releases/

       Users can take the following temporary measures:

  1. Restrict access to the Dubbo service to trusted IP addresses only;
  2. Since the vulnerability results from the deserialization process of Hessian, try using other deserialization ways instead provided that this does not affect your own business.

Reference links:

https://github.com/apache/dubbo/pull/6374
http://dubbo.apache.org/zh-cn/docs/user/references/xml/dubbo-protocol.html

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.