Recently, a deserialization vulnerability(CVE-2023-23638) was found in Apache Dubbo. The vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
Apache Dubbo is a lightweight RPC (Remote Procedure Call) framework based on Java. If you are an Apache Dubbo user, check your system and implement timely security hardening.
Reference:https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb
Severity: important
(Severity: low, moderate, important, and critical)
Affected versions:
Apache Dubbo 2.7.x < 2.7.21
Apache Dubbo 3.0.x < 3.0.13
Apache Dubbo 3.1.x < 3.1.5
Secure versions:
Apache Dubbo 2.7.21
Apache Dubbo 3.0.13
Apache Dubbo 3.1.5
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Get more professional support at any time
Contact Us
