Severity: Important

The Dubbo Project Team

Versions Affected:
Dubbo 2.7.0 to 2.7.4
Dubbo 2.6.0 to 2.6.7
Dubbo all 2.5.x versions (unsupported any longer)

This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and 
Spring-Web (5.1.9.RELEASE or lower).
Unsafe deserialization occurs within a Dubbo application which has HTTP 
remoting enabled. An attacker may submit a POST request with a Java object in 
it to completely compromise a Provider instance of Apache Dubbo, if this 
instance enables HTTP.
The Dubbo HTTP instance attempts to deserialize data within the Java 
ObjectStream, which contains a malicious set of classes, colloquially referred 
to as a gadget chain, whose invocation results in the execution of malicious 
code. In this instance, the malicious code in question allows arbitrary OS 
commands, and the invocation of the gadget chain occurs when an internal 
toString call is made in the Dubbo instance on this gadget chain, during 
exception creation. 

Notice that this vulnerability only affects users who enable http protocol 
provided by Dubbo:
<dubbo:protocol name=“http” />

1. All version users can try to upgrade to in 2.7.5 or higher version, 

This issue was discovered by Dor Tumarkin from the Chekmarx Team


Reply via email to