On February 11, 2020, Alibaba Security Response Center (ASRC) detected an Apache Dubbo deserialization vulnerability (CVE No.: CVE-2019-17564).

Apache Dubbo is a Java-based, distributed remote procedure call (RPC) framework. It supports various protocols and is widely used. We recommend that you use the officially offered Dubbo protocol. Apache Dubbo allows you to use the HTTP protocol for RPC, which is implemented by using Spring HttpInvoker. Deserialization is performed when input streams are processed. When HTTP is enabled, Apache Dubbo performs insecure deserialization upon receiving a remote call request. This leads to the remote execution of arbitrary code.

Cloud Firewall has detected attacks that are initiated by using this vulnerability and blocks such attacks.

Affected versions: Apache Dubbo versions earlier than 2.7.5

Risk level: high

Suggestion: Use the Intrusion Prevention feature of Cloud Firewall.