Hi, Sorry the typo, the vulnerability was reported by Dor Tumarkin from the Chekmarx Team.
Thank Dor again for the vulnerability report. Jun > On Feb 11, 2020, at 4:10 PM, Dor Tumarkin <[email protected]> wrote: > > Hi Jun, > Thank you for the update! > Can you correct the typo in company name and credit the research team, so > it’s “Dor Tumarkin from the Checkmarx Research Team”? > > Thanks, > Dor > > From: Jun Liu <[email protected]> > Sent: Tuesday, February 11, 2020 9:10 AM > To: [email protected]; [email protected]; Erez Yalon > <[email protected]>; Dor Tumarkin <[email protected]> > Subject: [CVE-2019-17564] Apache Dubbo deserialization vulnerability > > Severity: Important > > > Vendor: > The Dubbo Project Team > > > Versions Affected: > Dubbo 2.7.0 to 2.7.4 > Dubbo 2.6.0 to 2.6.7 > Dubbo all 2.5.x versions (unsupported any longer) > > > Description: > This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and > Spring-Web (5.1.9.RELEASE or lower). > Unsafe deserialization occurs within a Dubbo application which has HTTP > remoting enabled. An attacker may submit a POST request with a Java object in > it to completely compromise a Provider instance of Apache Dubbo, if this > instance enables HTTP. > The Dubbo HTTP instance attempts to deserialize data within the Java > ObjectStream, which contains a malicious set of classes, colloquially > referred to as a gadget chain, whose invocation results in the execution of > malicious code. In this instance, the malicious code in question allows > arbitrary OS commands, and the invocation of the gadget chain occurs when an > internal toString call is made in the Dubbo instance on this gadget chain, > during exception creation. > > Notice that this vulnerability only affects users who enable http protocol > provided by Dubbo: > <dubbo:protocol name=“http” /> > > > Mitigation: > 1. All version users can try to upgrade to in 2.7.5 or higher version, > https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5 > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fdubbo%2Freleases%2Ftag%2Fdubbo-2.7.5&data=02%7C01%7CDor.Tumarkin%40checkmarx.com%7C74fa6612f4f644c4743608d7aec17539%7C6677be72cda147e8ae4a320b4692c7d7%7C0%7C0%7C637170019015938625&sdata=6G%2BoR6Hly6rHgJH4PuV0pCNzDKU0kMz9tiQyc11efxA%3D&reserved=0> > > > Credit: > This issue was discovered by Dor Tumarkin from the Chekmarx Team > > Jun
