Severity: 10 - Critical Severity
|Affected versions of Apache and Alibaba Dubbo are vulnerable to Remote Code Execution over the Dubbo Protocol. The Dubbo Protocol allows transmitting serialized objects along with header flags that choose which deserializer to use, allowing attackers to choose an unsafe deserialize to use for reading the object - achieving RCE.|
- org.apache.dubbo <= 2.7.9
- com.alibaba.dubbo <= 2.6.9
Exploiting this vulnerability could result in RCE in the Dubbo provider instance.
Follow instructions in Checkmarx Blog
- Upgrade from Alibaba Dubbo to Apache Dubbo; Alibaba Dubbo is no longer maintained
- Update Apache Dubbo to its latest version
This issue was discovered and reported by Checkmarx Security Research Team Leader Dor Tumarkin (@dortumarkin).