BestHub
Sign in
Information Security 4 min read

Uncovering CVE‑2019‑17564: How Apache Dubbo’s HTTP Protocol Enables Remote Code Execution

Apache Dubbo’s CVE‑2019‑17564 is a high‑severity vulnerability that allows remote code execution via unsafe deserialization when the HTTP protocol is enabled, affecting versions 2.5.x through 2.7.4; the article details the flaw’s mechanics, affected classes, detection methods, and recommended upgrades or WAF protections.

ITPUB
ITPUB
ITPUB
Uncovering CVE‑2019‑17564: How Apache Dubbo’s HTTP Protocol Enables Remote Code Execution

Overview

Apache Dubbo is a high‑performance, lightweight Java RPC framework that supports multiple protocols. When the HTTP protocol is used, Dubbo accepts POST requests and deserializes the request body.

Vulnerability (CVE‑2019‑17564)

In the affected versions, the deserialization path does not enforce any class‑filtering. An attacker can supply a malicious serialized object (a “gadget chain”) that is present on the classpath. During deserialization the following call chain is executed:

Dubbo receives the request in org.apache.dubbo.rpc.protocol.http.HttpProtocol.handle.

The request is delegated to Spring’s

org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter.readRemoteInvocation

.

The data is passed to

org.springframework.remoting.rmi.RemoteInvocationSerializingExporter

, which invokes java.io.ObjectInputStream.readObject on the POST payload (named ois) without any whitelist.

The malicious gadget’s readObject method executes arbitrary code on the server.

Affected Versions

2.7.0 ≤ Apache Dubbo ≤ 2.7.4

2.6.0 ≤ Apache Dubbo ≤ 2.6.7

All 2.5.x releases

Detection

The vulnerability is only exploitable when the HTTP protocol is enabled. Search the configuration for an entry similar to:

<dubbo:protocol name="http"/>

Mitigation

Upgrade. Upgrade to Apache Dubbo 2.7.5 or any later release where the deserialization path is hardened. The release assets are available at:

https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5

Upgrade method (Maven). Update the Dubbo dependency in pom.xml to the patched version, e.g.:

<dependency>
    <groupId>org.apache.dubbo</groupId>
    <artifactId>dubbo</artifactId>
    <version>2.7.5</version>
</dependency>

For additional guidance refer to the official repository:

https://github.com/apache/dubbo

Temporary protection. If an immediate upgrade is not possible, a Web Application Firewall (WAF) can be configured to block HTTP‑based Dubbo invocations. This is a defensive measure, not a substitute for upgrading.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

VulnerabilityRemote Code ExecutionApache DubboCVE-2019-17564Java RPC
ITPUB
Written by

ITPUB

Official ITPUB account sharing technical insights, community news, and exciting events.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment