Apache Dubbo Deserialization Vulnerability CVE-2019-17564

20/02/2020 15:46:16
Description

Apache Dubbo Introduction
Apache Dubbo is an open high-performance, light weight, Java based RPC framework. Dubbo offers three key functionalities, including interface based remote call, fault tolerance and load balancing, and automatic service registration and discovery. It adopts layered architecture to decouple all the layers, and provides service with two roles, provider and consumer.

Vulnerability Summary
The Apache Dubbo module used for handling HTTP requests contains a deserialization vulnerability, which has similar exploitation method with other deserialization vulnerabilities in Java based middleware. Apache Dubbo handles message body improperly, which causes deserialization. When Dubbo project package includes available gadgets, attackers can send malicious deserializated data via HTTP protocol. This vulnerability will be triggered when Dubbo serializes the malicious data. Attackers can exploit this vulnerability to execute arbitrary code on affected Apache Dubbo servers.

Vulnerability Reproduction
Build the environment Apache Dubbo2.7.3 + ZooKeeper3.4.9, start ZooKeeper, and import Dubbo project maven to idea. If you see the following information, it indicates the environment is built successfully.



The figures below show malicious data is transmitted to server via HTTP protocol and executed on the target server.



Affected Versions
Affected Apache Dubbo versions:

Apache Dubbo 2.7.0 - 2.7.4.1

Apache Dubbo 2.6.0 - 2.6.7

Apache Dubbo 2.5.x

Timeline
2020/02/11 Apache Dubbo released this vulnerability.

2020/02/15 Sangfor Qianli security team analyzed the vulnerability, and released alerts and solutions.

Solution

Remediation Solution
1. Apache Dubbo has fixed this vulnerability. Please visit the following link to download the latest version.

Link: https://github.com/apache/dubbo/tree/master

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.