Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:APACHE:DUBBO-RMTINVCTN-ID |
|---|---|
Severity |
Minor |
Recommended |
Yes |
Category |
HTTP |
Keywords |
Apache Dubbo HttpRemoteInvocation Insecure Deserialization |
Release Date |
2020/04/30 |
Update Number |
3277 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Apache Dubbo HttpRemoteInvocation Insecure Deserialization
This signature detects attempts to exploit a known vulnerability against Apache Dubbo. A successful attack can lead to arbitrary code execution.
Extended Description
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Affected Products
- Apache dubbo 2.5.0
- Apache dubbo 2.5.1
- Apache dubbo 2.5.10
- Apache dubbo 2.5.2
- Apache dubbo 2.5.3
- Apache dubbo 2.5.4
- Apache dubbo 2.5.5
- Apache dubbo 2.5.6
- Apache dubbo 2.5.7
- Apache dubbo 2.5.8
- Apache dubbo 2.5.9
- Apache dubbo 2.6.0
- Apache dubbo 2.6.1
- Apache dubbo 2.6.2
- Apache dubbo 2.6.3
- Apache dubbo 2.6.4
- Apache dubbo 2.6.5
- Apache dubbo 2.6.6
- Apache dubbo 2.6.7
- Apache dubbo 2.7.0
- Apache dubbo 2.7.1
- Apache dubbo 2.7.2
- Apache dubbo 2.7.3
- Apache dubbo 2.7.4
References
- CVE: CVE-2019-17564