Overview

Recently, Apache Dubbo was reported to contain a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.

Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in hessian, a default deserialization tool used by Apache Dubbo. An attacker may trigger it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the attacker achieves the goal of executing code.