Apache Dubbo Deserialization Vulnerability (CVE-2019-17564): Principle, Affected Versions, and Protection Measures

On February 13, 2020, Huawei Cloud Security detected a serious deserialization vulnerability (CVE-2019-17564) in the widely used Apache Dubbo framework, which allows attackers to execute arbitrary code remotely, potentially compromising the website and leaking data.

Vulnerability Principle : When Apache Dubbo is deployed with the HTTP protocol enabled, an attacker can send a crafted POST request that triggers deserialization without any security checks, allowing execution of arbitrary code. Serialization converts an object to a byte sequence, while deserialization restores it.

Affected Versions : The vulnerability impacts Apache Dubbo versions 2.7.0‑2.7.4, 2.6.0‑2.6.7, and all 2.5.x releases.

Mitigation Options :

Upgrade to the safe version 2.7.5, which can be downloaded from https://github.com/apache/dubbo/tree/dubbo-2.7.5.

If an immediate upgrade is not possible, use Huawei Cloud Web Application Firewall (WAF) to protect against this and other vulnerabilities. The steps are:

Conclusion : The article asks whether the reader's company uses Dubbo or Spring Cloud and which major version of Dubbo is in use, encouraging further discussion on security practices.