Apache Dubbo Deserialization Vulnerability
On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, WAF provides protection against this vulnerability.
Affected Versions
This vulnerability affects Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x. versions.
Mitigation Version
Solutions
Upgrade Apache Dubbo to version 2.7.5.
If a quick upgrade is not possible or you want to defend against more vulnerabilities, use WAF. The procedure is as follows:
- Apply for a dedicated WAF instance.
- Add the website domain name to WAF and route website traffic to WAF.
- Cloud mode: Creating a Domain Name
- Dedicated mode: Step 1: Add a Website to WAF (Dedicated Mode)
- Set the mode of Basic Web Protection to Block. For details, see Configuring Basic Protection Rules to Defend Against Common Web Attacks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
