Apache Dubbo (Dubbo for short) contains a Hessian2 deserialization vulnerability. This remotely exploitable vulnerability allows attackers to bypass the deserialization blacklists and whitelists by tampering with the Hessian2 protocol.
Vulnerability description
In the default communication mode, Dubbo uses the serialization ID
in a data packet to pass the serialization protocol that is used by the data body.
In versions earlier than Dubbo 2.7.8 or 2.6.9, attackers can construct the serialization ID
they need and send it to the server. The server is then forced to use the serialization ID
for deserialization. This means that if a serialization mode with weak security,
such as Kryo, fast serialization (FST), or nativejava, is used, attackers can exploit
this vulnerability to launch attacks.
For example, native Hessian is similar to Hessian2, but does not support blacklists or whitelists. Therefore, even if you configure blacklists and whitelists for Hessian2, attackers can change the protocol from Hessian2 to native Hessian to bypass the blacklists and whitelists.
Vulnerability severity
Medium
Affected users
- All users who use Dubbo 2.5.x
- All users who use a Dubbo 2.6.x version earlier than 2.6.10
- All users who use a Dubbo 2.7.x version earlier than 2.7.10
Fixes
Update Dubbo to the specified version based on the existing version that you use and enable the strong verification feature.
- Update Dubbo.
- If you use Dubbo 2.5.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.7.x, update Dubbo to 2.7.12.
- Enable the strong verification feature by configuring the
serialization.security.check=true
environment variable.Note If your cluster has many nodes and Dubbo is not updated on some nodes, an incompatibility issue may occur in the communication with the serialization protocols in Dubbo 2.7.8 or earlier after the strong verification feature is enabled. You must evaluate whether to enable the strong verification feature.