Apache Dubbo Deserialization Vulnerability (CVE-2019-17564): Principle, Affected Versions, and Protection Measures
The article explains the deserialization vulnerability (CVE-2019-17564) in Apache Dubbo when using HTTP, lists the impacted 2.5.x, 2.6.x, and 2.7.x versions, and provides mitigation steps including upgrading to 2.7.5 and applying Huawei Cloud WAF rules.
On February 13, 2020, Huawei Cloud Security detected a serious deserialization vulnerability (CVE-2019-17564) in the widely used Apache Dubbo framework, which allows attackers to execute arbitrary code remotely, potentially compromising the website and leaking data.
Vulnerability Principle : When Apache Dubbo is deployed with the HTTP protocol enabled, an attacker can send a crafted POST request that triggers deserialization without any security checks, allowing execution of arbitrary code. Serialization converts an object to a byte sequence, while deserialization restores it.
Affected Versions : The vulnerability impacts Apache Dubbo versions 2.7.0‑2.7.4, 2.6.0‑2.6.7, and all 2.5.x releases.
Mitigation Options :
Upgrade to the safe version 2.7.5, which can be downloaded from https://github.com/apache/dubbo/tree/dubbo-2.7.5 .
If an immediate upgrade is not possible, use Huawei Cloud Web Application Firewall (WAF) to protect against this and other vulnerabilities. The steps are:
Conclusion : The article asks whether the reader's company uses Dubbo or Spring Cloud and which major version of Dubbo is in use, encouraging further discussion on security practices.
Architect's Tech Stack
Java backend, microservices, distributed systems, containerized programming, and more.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.