GenericFilter is prone to a remote code execution (RCE) vulnerability. Attackers can construct malformed parameters to launch RCE attacks against the users who make generic calls.
Vulnerability description
By default, Apache Dubbo (Dubbo for short) supports generic calls to arbitrary methods that are exposed by provider interfaces. These calls are handled by GenericFilter. GenericFilter finds the service and method that are specified in the first argument of a call and uses the Java Reflection API to make the final call. When the $invoke or $invokeAsync method is called, attackers can set the generic serialization type to nativejava and send malicious request content to launch RCE attacks.
Vulnerability severity
Medium
Affected users
- All users who use Dubbo 2.5.x
- All users who use a Dubbo 2.6.x version earlier than 2.6.10
- All users who use a Dubbo 2.7.x version earlier than 2.7.10
Fixes
Update Dubbo to the specified version based on the existing version that you use.
- If you use Dubbo 2.5.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.6.x, update Dubbo to 2.6.10.1 or 2.7.12.
- If you use Dubbo 2.7.x, update Dubbo to 2.7.12.