Apache Dubbo Introduction
Apache Dubbo is an open high-performance, light weight, Java based RPC framework. Dubbo offers three key functionalities, including interface based remote call, fault tolerance and load balancing, and automatic service registration and discovery. It adopts layered architecture to decouple all the layers, and provides service with two roles, provider and consumer.
The Apache Dubbo module used for handling HTTP requests contains a deserialization vulnerability, which has similar exploitation method with other deserialization vulnerabilities in Java based middleware. Apache Dubbo handles message body improperly, which causes deserialization. When Dubbo project package includes available gadgets, attackers can send malicious deserializated data via HTTP protocol. This vulnerability will be triggered when Dubbo serializes the malicious data. Attackers can exploit this vulnerability to execute arbitrary code on affected Apache Dubbo servers.
Build the environment Apache Dubbo2.7.3 + ZooKeeper3.4.9, start ZooKeeper, and import Dubbo project maven to idea. If you see the following information, it indicates the environment is built successfully.
The figures below show malicious data is transmitted to server via HTTP protocol and executed on the target server.
Affected Apache Dubbo versions:
Apache Dubbo 2.7.0 - 126.96.36.199
Apache Dubbo 2.6.0 - 2.6.7
Apache Dubbo 2.5.x
2020/02/11 Apache Dubbo released this vulnerability.
2020/02/15 Sangfor Qianli security team analyzed the vulnerability, and released alerts and solutions.
1. Apache Dubbo has fixed this vulnerability. Please visit the following link to download the latest version.
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.
Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.