Severity: Important
Vendor: The Dubbo Project Team Versions Affected: Dubbo 2.7.0 to 2.7.4 Dubbo 2.6.0 to 2.6.7 Dubbo all 2.5.x versions (unsupported any longer) Description: This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and Spring-Web (5.1.9.RELEASE or lower). Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. The Dubbo HTTP instance attempts to deserialize data within the Java ObjectStream, which contains a malicious set of classes, colloquially referred to as a gadget chain, whose invocation results in the execution of malicious code. In this instance, the malicious code in question allows arbitrary OS commands, and the invocation of the gadget chain occurs when an internal toString call is made in the Dubbo instance on this gadget chain, during exception creation. Notice that this vulnerability only affects users who enable http protocol provided by Dubbo: <dubbo:protocol name=“http” /> Mitigation: 1. All version users can try to upgrade to in 2.7.5 or higher version, https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5 <https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5> Credit: This issue was discovered by Dor Tumarkin from the Chekmarx Team Jun