You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2022/03/31 01:02:09 UTC

[GitHub] [dubbo] kinkwok117 opened a new issue #9867: Dubbo是否受spring的0day RCE漏洞影响

kinkwok117 opened a new issue #9867:
URL: https://github.com/apache/dubbo/issues/9867


   <!-- If you need to report a security issue please visit https://github.com/apache/dubbo/security/policy -->
   
   <!-- For all design discussions please continue. -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] kinkwok117 commented on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

kinkwok117 commented on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1084019936


   > Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.
   
   是否意味着如果项目只使用了dubbo，未使用spring的话，是不受影响的


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] kinkwok117 closed issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

kinkwok117 closed issue #9867:
URL: https://github.com/apache/dubbo/issues/9867


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] guohao commented on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

guohao commented on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1084046830


   > > Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.
   > 
   > 是否意味着如果项目只使用了dubbo，未使用spring的话，是不受影响的
   
   Yes , the root cause for this RCE is requests from HTTP to SpringWeb may trigger reflection to execute any code.  Projects does not expose HTTP service with Spring will not be effected.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] AlbumenJ commented on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

AlbumenJ commented on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1084045851


   > > Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.
   > 
   > 是否意味着如果项目只使用了dubbo，未使用spring的话，是不受影响的
   
   yep~


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] guohao edited a comment on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

guohao edited a comment on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1084046830


   > > Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.
   > 
   > 是否意味着如果项目只使用了dubbo，未使用spring的话，是不受影响的
   
   Yes , the root cause for this RCE is requests from HTTP to SpringWeb may trigger reflection to execute any code.  Projects do not expose HTTP service with Spring will not be effected.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] kinkwok117 commented on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

kinkwok117 commented on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1084154654


   > > > Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.
   > > 
   > > 
   > > 是否意味着如果项目只使用了dubbo，未使用spring的话，是不受影响的
   > 
   > Yes , the root cause for this RCE is requests from HTTP to SpringWeb may trigger reflection to execute any code. Projects do not expose HTTP service with Spring will not be effected.
   
   OK


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] guohao commented on issue #9867: Dubbo是否受spring的0day RCE漏洞影响

Posted by GitBox <gi...@apache.org>.

guohao commented on issue #9867:
URL: https://github.com/apache/dubbo/issues/9867#issuecomment-1083975655


   Dubbo only add beans to Spring container, it does not use Spring functions or expose web services by Spring. So this RCE  will not affect Dubbo. But applications that adopt JDK 9+ and Spring should try some temporary fixs to avoid this REC.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org