Updated on 2024-03-14 GMT+08:00

Apache Dubbo Deserialization Vulnerability

On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, WAF provides protection against this vulnerability.

Affected Versions

This vulnerability affects Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x. versions.

Mitigation Version

Apache Dubbo 2.7.5

Solutions

Upgrade Apache Dubbo to version 2.7.5.

If a quick upgrade is not possible or you want to defend against more vulnerabilities, use WAF. The procedure is as follows:

  1. Apply for a dedicated WAF instance.
  2. Add the website domain name to WAF and route website traffic to WAF.

  3. Set the mode of Basic Web Protection to Block. For details, see Configuring Basic Protection Rules to Defend Against Common Web Attacks.