Xinyou Huang

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions 3.1.0 through 3.1.10 Apache Dubbo versions 3.2.0 through 3.2.4 **Description** A deserialization vulnerability exists when decoding a malicious package, which can allow a remote attacker to execute arbitrary code or cause a denial of service. The issue is related to shortcomings in the deserialization mechanism of the Apache Dubbo RPC framework. **Recommendations** For Apache Dubbo versions 3.1.0 through 3.1.10, upgrade to the latest version to fix the issue. For Apache Dubbo versions 3.2.0 through 3.2.4, upgrade to the latest version to fix the issue. As a temporary workaround, consider restricting the decoding of packages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SOFARPC versions prior to 5.11.0 **Description** SOFARPC is a Java RPC framework. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. The default configuration of the SOFARPC framework uses a blacklist to filter out dangerous classes during the deserialization process. However, the blacklist is not comprehensive, allowing an actor to exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. **Recommendations** For versions prior to 5.11.0, update to version 5.11.0 to resolve the issue. As a temporary workaround, users can add `-Drpc serialize blacklist override=javax.sound.sampled.AudioFileFormat` to the blacklist.