Hello, my name is yes.
Not long ago, the vulnerability of Log4j2 caused a lot of noise. The day when hundreds of applications were updated is still fresh in my memory.
Today, I saw another high-risk vulnerability notice of Apache Dubbo. When I look at this version, our application has a vulnerability...
In fact, this vulnerability has been exposed for many days, and the impact is not as large as that of Log4j2, so it is not so "popular", but it is also a high-risk vulnerability.
Another vulnerability that allows remote code execution, the type of vulnerability is because of the deserialization problem.
Judging from the official website of the 360 Network Security Response Center, it was announced on the 1.14th.
The evaluation results of this vulnerability are as follows:
It can be seen that it is still a vulnerability with a relatively serious impact.
Specifically, there is a deserialization vulnerability in Apache Dubbo hessian-lite 3.2.11 and earlier versions, and this hessina-lite happens to be the default serialization method of Dubbo
hessian2 serialization: hessian is a cross-language efficient binary serialization method. But this is actually not the native hessian2 serialization, but the hessian lite modified by Ali, which is the serialization method enabled by default in dubbo RPC
Generally, the default implementation will not be changed without special requirements, so most of the Dubbo users will be hit by this trick.
The specific affected versions are as follows:
So use Dubbo's classmates to check your application to see if it is affected.
Reference: https://cert.360.cn/warning/detail?id=413132b068d5e062e3059adc758d3500
I'm yes, see you in the next part~