[CVE-2019-17564] Apache Dubbo deserialization vulnerability

[Jun Liu <li...@apache.org>]

Severity: Important


Vendor:
The Dubbo Project Team


Versions Affected:
Dubbo 2.7.0 to 2.7.4
Dubbo 2.6.0 to 2.6.7
Dubbo all 2.5.x versions (unsupported any longer)


Description:
This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and Spring-Web (5.1.9.RELEASE or lower).
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP.
The Dubbo HTTP instance attempts to deserialize data within the Java ObjectStream, which contains a malicious set of classes, colloquially referred to as a gadget chain, whose invocation results in the execution of malicious code. In this instance, the malicious code in question allows arbitrary OS commands, and the invocation of the gadget chain occurs when an internal toString call is made in the Dubbo instance on this gadget chain, during exception creation. 

Notice that this vulnerability only affects users who enable http protocol provided by Dubbo:
<dubbo:protocol name=“http” />


Mitigation:
1. All version users can try to upgrade to in 2.7.5 or higher version, https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5 <https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5>

Credit:
This issue was discovered by Dor Tumarkin from the Chekmarx Team

Jun

Re: [CVE-2019-17564] Apache Dubbo deserialization vulnerability

[Jun Liu <li...@apache.org>]

Hi,

Sorry the typo, the vulnerability was reported by Dor Tumarkin from the Chekmarx Team. 

Thank Dor again for the vulnerability report.

Jun

> On Feb 11, 2020, at 4:10 PM, Dor Tumarkin <Do...@checkmarx.com> wrote:
> 
> Hi Jun,
> Thank you for the update!
> Can you correct the typo in company name and credit the research team, so it’s “Dor Tumarkin from the Checkmarx Research Team”?
>  
> Thanks,
> Dor
>  
> From: Jun Liu <li...@apache.org> 
> Sent: Tuesday, February 11, 2020 9:10 AM
> To: security@dubbo.apache.org; dev@dubbo.apache.org; Erez Yalon <er...@checkmarx.com>; Dor Tumarkin <Do...@checkmarx.com>
> Subject: [CVE-2019-17564] Apache Dubbo deserialization vulnerability
>  
> Severity: Important
>  
>  
> Vendor:
> The Dubbo Project Team
>  
>  
> Versions Affected:
> Dubbo 2.7.0 to 2.7.4
> Dubbo 2.6.0 to 2.6.7
> Dubbo all 2.5.x versions (unsupported any longer)
>  
>  
> Description:
> This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and Spring-Web (5.1.9.RELEASE or lower).
> Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP.
> The Dubbo HTTP instance attempts to deserialize data within the Java ObjectStream, which contains a malicious set of classes, colloquially referred to as a gadget chain, whose invocation results in the execution of malicious code. In this instance, the malicious code in question allows arbitrary OS commands, and the invocation of the gadget chain occurs when an internal toString call is made in the Dubbo instance on this gadget chain, during exception creation. 
>  
> Notice that this vulnerability only affects users who enable http protocol provided by Dubbo:
> <dubbo:protocol name=“http” />
> 
> 
> Mitigation:
> 1. All version users can try to upgrade to in 2.7.5 or higher version, https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5 <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fdubbo%2Freleases%2Ftag%2Fdubbo-2.7.5&data=02%7C01%7CDor.Tumarkin%40checkmarx.com%7C74fa6612f4f644c4743608d7aec17539%7C6677be72cda147e8ae4a320b4692c7d7%7C0%7C0%7C637170019015938625&sdata=6G%2BoR6Hly6rHgJH4PuV0pCNzDKU0kMz9tiQyc11efxA%3D&reserved=0>
> 
> 
> Credit:
> This issue was discovered by Dor Tumarkin from the Chekmarx Team
>  
> Jun

RE: [CVE-2019-17564] Apache Dubbo deserialization vulnerability

[Dor Tumarkin <Do...@checkmarx.com>]

Hi Jun,
Thank you for the update!
Can you correct the typo in company name and credit the research team, so it’s “Dor Tumarkin from the Checkmarx Research Team”?

Thanks,
Dor

From: Jun Liu <li...@apache.org>
Sent: Tuesday, February 11, 2020 9:10 AM
To: security@dubbo.apache.org; dev@dubbo.apache.org; Erez Yalon <er...@checkmarx.com>; Dor Tumarkin <Do...@checkmarx.com>
Subject: [CVE-2019-17564] Apache Dubbo deserialization vulnerability

Severity: Important


Vendor:
The Dubbo Project Team


Versions Affected:
Dubbo 2.7.0 to 2.7.4
Dubbo 2.6.0 to 2.6.7
Dubbo all 2.5.x versions (unsupported any longer)


Description:
This vulnerability can affect users using Dubbo-Rpc-Http (2.7.3 or lower) and Spring-Web (5.1.9.RELEASE or lower).
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP.
The Dubbo HTTP instance attempts to deserialize data within the Java ObjectStream, which contains a malicious set of classes, colloquially referred to as a gadget chain, whose invocation results in the execution of malicious code. In this instance, the malicious code in question allows arbitrary OS commands, and the invocation of the gadget chain occurs when an internal toString call is made in the Dubbo instance on this gadget chain, during exception creation.

Notice that this vulnerability only affects users who enable http protocol provided by Dubbo:
<dubbo:protocol name=“http” />

Mitigation:
1. All version users can try to upgrade to in 2.7.5 or higher version, https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fdubbo%2Freleases%2Ftag%2Fdubbo-2.7.5&data=02%7C01%7CDor.Tumarkin%40checkmarx.com%7C74fa6612f4f644c4743608d7aec17539%7C6677be72cda147e8ae4a320b4692c7d7%7C0%7C0%7C637170019015938625&sdata=6G%2BoR6Hly6rHgJH4PuV0pCNzDKU0kMz9tiQyc11efxA%3D&reserved=0>


Credit:
This issue was discovered by Dor Tumarkin from the Chekmarx Team

Jun