Updated on 2024-02-29 GMT+08:00

Apache Dubbo Deserialization Vulnerability

On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, Huawei Cloud WAF provides protection against this vulnerability.

Affected Versions

This vulnerability affects Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x. versions.

Mitigation Version

Apache Dubbo 2.7.5


Upgrade Apache Dubbo to version 2.7.5.

If a quick upgrade is not possible or you want to defend against more vulnerabilities, use WAF. The procedure is as follows:

  1. Buy WAF.
  2. Add the website domain name to WAF and connect it to WAF. For details, see Adding a Domain Name.
  3. In the Basic Web Protection configuration area, set Mode to Block. For details, see Configuring Basic Web Protection Rules.