A Java deserialization vulnerability CVE-2020-1948 has been discovered in Dubbo applications that use Hessian 2 serialization. This vulnerability has brought trouble to users. This topic describes how to fix this vulnerability.

Vulnerability description

This vulnerability allows attackers to use the serialization source com.caucho.hessian.io.Hessian2Output to modify existing gadgets such as Rome, Quercus, XBean, and XBean 2. For more information about other gadgets that may be modified, see marshalsec and ysoserial. If a Dubbo provider application uses dependency packages such as rome, quercus, xbean-naming, attackers can create payloads. Then, they can use the Java Naming and Directory Interface (JNDI) to connect to the Lightweight Directory Access Protocol (LDAP) server or call the Java Remote Method Invocation (RMI) API to connect to the default port 20880 of Dubbo providers. This allows attackers to remotely connect to a Dubbo provider and run malicious code. This is how attackers exploit this vulnerability to initiate remote code execution (RCE) attacks.

For more information about this vulnerability, see [CVE-2020-1948] Apache Dubbo Provider default deserialization cause RCE.

Affected versions

  • Dubbo 2.7.0 to 2.7.6
  • Dubbo 2.6.0 to 2.6.7
  • All Dubbo 2.5.x versions, which are no longer updated or maintained

Vulnerability analysis

After analyzing how Hessian 2 serialization is exploited by attackers and how payloads are created, security engineers concluded that this vulnerability can be exploited only if the following requirements are met:

  • The Dubbo server has referenced a third-party Rome or Quercus library such as com.rometools:rome:1.7.0 or com.caucho:quercus:4.0.45.
  • The Java Development Kit (JDK) is earlier than version 7u201 or version 8u191. Versions earlier than 7u201 or 8u191 allow users to use the JNDI to call the RMI API to connect to LDAP servers. This RCE vulnerability can be exploited in the following ways by using the JDK and affect the following JDK versions:
    • Call the RMI API to remotely load a malicious object registered in RMI Registry. Affected JDK versions: versions that are earlier than 6u45 or 7u21.
    • Use the RMI API and JNDI to run malicious code. Affected JDK versions: versions that are earlier than 6u132, 7u122, or 8u113.
    • Use the JNDI to connect to the LDAP server. Affected JDK versions: versions that are earlier than 6u211, 7u201, 8u191, or 11u1.
  • The security group of the ECS instance or Kubernetes node where the Dubbo application is deployed has port 20880 open.

Several requirements must be met if an attacker wants to exploit this vulnerability. By default, Dubbo applications, Spring Cloud applications, High-speed Service Framework (HSF) applications, and the registration center and server applications of EDAS have authentication enabled. Unauthorized services cannot be registered, subscribed, or called. By default, applications are deployed in virtual private clouds (VPCs). VPCs are isolated from each other and do not allow requests from the Internet unless the applications in the VPCs are assigned a public IP address that supports Internet access. Therefore, it is difficult for attackers to connect to Dubbo applications that are deployed in VPCs.

Fixes

  • Check whether your Dubbo applications contain third-party packages such as rome and quercus or check whether Rome and Quercus gadgets exist. If these packages or gadgets exist, upgrade the Dubbo applications to versions later than the preceding versions. Be aware that you must run compatibility tests in the staging environment to verify that the services run as expected after the applications are upgraded. Then, upgrade the applications in the production environment.
  • Upgrade the JDK to version 7u201 or later, or version 8u191 or later. EDAS automatically upgrades the JDK for applications that are deployed within the last year.
    Notice The JSD cannot be automatically upgraded for Kubernetes clusters that are deployed from an image.
  • Check the security group of the ECS or Kubernetes node where the Dubbo application is deployed. Make sure that port 20880 is not open in the security group. Port 20880 is closed by default and does not support Internet access. If your workloads must open this port, make sure that the source IP address and CIDR block of the port and the security group do not raise security issues. For example, do not set the CIDR block to 0.0.0.0/0. Otherwise, unauthorized connections to the port may be established.
  • Upgrade Dubbo to version 2.7.7 or later.
    Notice Test the applications in the staging environment before you upgrade them in the production environment.