Short Name |
HTTP:APACHE:DUBBO-RMTINVCTN-ID |
---|---|
Severity |
Minor |
Recommended |
Yes |
Category |
HTTP |
Keywords |
Apache Dubbo HttpRemoteInvocation Insecure Deserialization |
Release Date |
2020/04/30 |
Update Number |
3277 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability against Apache Dubbo. A successful attack can lead to arbitrary code execution.
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.