Apache Dubbo Introduction
We build the environment of Apache Dubbo and import the project dubbo-spring-boot-project to idea, then initialize.
The figures below show malicious data is transmitted to server and executed arbitrary commands on the target server.
Impacts
Affected Apache Dubbo versions:
Apache Log4j 2.7.0 - 2.7.6
Apache Dubbo 2.6.0 - 2.6.7
Apache Dubbo 2.5.x
Timeline
June 23, 2020 Apache Dubbo released this vulnerability.
June 24, 2020 Sangfor FarSight Labs analyzed the vulnerability then released alerts and solutions.
Solution
Remediation Solution
1. Apache Dubbo has fixed this vulnerability. Please visit the following link to download the latest version.
Download address: https://github.com/apache/dubbo/tree/master
Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cloud WAF has automatically updated its database in the cloud. Those users are already protected from this vulnerability without needing to perform any additional operations.
Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.