How Critical Is the Apache Dubbo CVE‑2019‑17564 Vulnerability and How to Fix It?

Vulnerability Overview

Apache Dubbo is a high‑performance, lightweight open‑source Java RPC framework that provides three core capabilities: interface‑based remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery.

Vulnerability Details

When the HTTP protocol is selected, Dubbo deserializes POST request data. If malicious gadgets are present, inadequate security checks lead to arbitrary code execution.

Tracing shows the request flow:

org.apache.dubbo.rpc.protocol.http.HttpProtocol.handle

org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter.readRemoteInvocation

org.springframework.remoting.rmi.RemoteInvocationSerializingExporter.readObject

This chain ultimately results in command execution.

Affected Versions

2.7.0 ≤ Apache Dubbo ≤ 2.7.4

2.6.0 ≤ Apache Dubbo ≤ 2.6.7

Apache Dubbo 2.5.x

Vulnerability Detection

Only users who enable the HTTP protocol are affected, e.g., <dubbo:protocolname="http"/>.

Mitigation Recommendations

1. Upgrade to Dubbo 2.7.5 or later – see release notes .

2. Upgrade Method – update Maven dependency (see diagram).

3. If upgrade is not feasible, use WAF protection :

Purchase a WAF.

Add your domain to the WAF and complete domain integration.

Set the Web basic protection mode to “intercept”.

Source: https://urlify.cn/rii2ye

Related Reading

Java Distributed RPC Framework Performance Comparison – Where Does Dubbo Rank?

Top 9 Java Frameworks in September 2020

Dubbo Source Code Analysis – Cluster Fault‑Tolerance Architecture