Apache Dubbo Deserialization Vulnerability
On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, HUAWEI CLOUD WAF provides protection against this vulnerability.
Affected Versions
This vulnerability affects Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x. versions.
Mitigation Version
Solutions
Upgrade Apache Dubbo to version 2.7.5.
If a quick upgrade is not possible or you want to defend against more vulnerabilities, use HUAWEI CLOUD WAF. The procedure is as follows:
- Buy WAF.
- Add the website domain name to WAF and connect it to WAF. For details, see Adding a Domain Name.
- In the Basic Web Protection configuration area, set Mode to Block. For details, see Configuring Basic Web Protection Rules.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.