You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2021/01/20 08:15:39 UTC
[dubbo-website] branch master updated: update security page content
This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-website.git
The following commit(s) were added to refs/heads/master by this push:
new 59df7f3 update security page content
59df7f3 is described below
commit 59df7f378305f3305ebcf1d397b6e3404b8d0ef0
Author: ken.lj <ke...@gmail.com>
AuthorDate: Wed Jan 20 16:15:18 2021 +0800
update security page content
---
content/en/docs/notices/security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/en/docs/notices/security.md b/content/en/docs/notices/security.md
index 8268dbe..82bf319 100755
--- a/content/en/docs/notices/security.md
+++ b/content/en/docs/notices/security.md
@@ -8,7 +8,7 @@ weight: 90
---
-## εΊεε
+## Deserialization Vulnerabilities
Dubbo supports the extension of serialization protocol. Theoretically, users can enable serialization protocol with arbitrary order based on the extension mechanism, which brings great flexibility, but at the same time, they should be aware of the potential security risks.
Data deserialization is one of the most vulnerable links to be exploited by attackers. Attackers use it to steal or destroy server-side data, such as rce attack. Before switching the serialization protocol or implementation, the user can,
We should fully investigate the security guarantee of target serialization protocol and its framework implementation, and set corresponding security measures in advance (such as setting Black / white list). The Dubbo framework itself cannot guarantee the security of the target serialization mechanism.