On June 23, 2020, Alibaba Cloud emergency response center detected that Apache Dubbo announced a remote code execution vulnerability.
Apache Dubbo is a high-performance Java-based RPC framework. Apache Dubbo announced that
Dubbo Provider has a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization. Attackers can create and send RPC requests with malicious parameter payloads. The deserialization of malicious parameters will cause remote code execution.
- Apache Dubbo 2.7.0-2.7.6
- Apache Dubbo 2.6.0-2.6.7
- Apache Dubbo 2.5.x. Apache Dubbo will no longer provide technical support for these versions.
Risk level: high
Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.
Rule type: command execution
- Apache Dubbo has released a new version 2.7.7 to fix this vulnerability. You can upgrade your Apache Dubbo version to 2.7.7 or later. Download URL for Apache Dubbo 2.7.7: Download URL
- Use the Intrusion Prevention feature of Cloud Firewall.