On June 23, 2020, Alibaba Cloud emergency response center detected that Apache Dubbo announced a remote code execution vulnerability.

Apache Dubbo is a high-performance Java-based RPC framework. Apache Dubbo announced that Dubbo Provider has a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization. Attackers can create and send RPC requests with malicious parameter payloads. The deserialization of malicious parameters will cause remote code execution.

Scope of impact:
  • Apache Dubbo 2.7.0-2.7.6
  • Apache Dubbo 2.6.0-2.6.7
  • Apache Dubbo 2.5.x. Apache Dubbo will no longer provide technical support for these versions.

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Rule type: command execution

Security suggestions:
  • Apache Dubbo has released a new version 2.7.7 to fix this vulnerability. You can upgrade your Apache Dubbo version to 2.7.7 or later. Download URL for Apache Dubbo 2.7.7: Download URL
  • Use the Intrusion Prevention feature of Cloud Firewall.