Why Apache Dubbo’s Remote Code Execution (CVE‑2020‑1948) Is Critical and How to Patch It

0x01 Vulnerability Background

On June 23, 2020, 360CERT detected that Apache Dubbo had issued an advisory for a remote code execution vulnerability (CVE‑2020‑1948) classified as high severity.

Apache Dubbo is a high‑performance, lightweight open‑source Java RPC framework offering three core capabilities: interface‑based remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery.

The Dubbo provider suffers from a deserialization flaw that allows attackers to send unrecognizable service or method names with malicious payloads via RPC requests; when these payloads are deserialized, remote code execution can occur.

The technical details of the vulnerability have been publicly disclosed.

360CERT recommends users promptly apply the latest patches, conduct asset self‑assessment, and implement preventive measures to avoid exploitation.

0x02 Risk Rating

Threat level: High

Impact scope: Wide

0x03 Vulnerability Details

The Dubbo provider’s deserialization issue enables attackers to trigger remote code execution by delivering malicious parameters in RPC calls.

0x04 Affected Versions

Dubbo 2.7.0 – 2.7.6

Dubbo 2.6.0 – 2.6.7

Dubbo 2.5.x (no longer maintained)

0x05 Fix Recommendations

General remediation

Users should upgrade to version 2.7.7 or later. The release can be downloaded from https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7 .

0x06 Related Asset Mapping Data

360 Security Brain’s Quake network mapping system shows extensive domestic usage of Dubbo, illustrated in the following map.

0x07 Product‑Side Solution

360 City‑Level Network Security Monitoring Service

The QUake asset mapping platform monitors such vulnerabilities; users should contact the relevant product team for appropriate solutions.

0x08 Timeline

2020‑06‑22: Apache Dubbo official announcement.

2020‑06‑23: 360CERT issued the security advisory.