CVE-2020-11995

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.6.9 and 2.7.8

Description A deserialization vulnerability existed in Apache Dubbo, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol. During Hessian2 deserialization of the HashMap object, some functions in the classes stored in HashMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remote loading of malicious classes and execute malicious code by constructing a malicious request.

Recommendations For Apache Dubbo versions prior to 2.6.9, update to version 2.6.9 or later. For Apache Dubbo versions prior to 2.7.8, update to version 2.7.8 or later. As a temporary workaround, consider disabling the hashCode() function of the EqualsBean class in rome-1.7.0.jar until a patch is available. Restrict access to the Hessian2 deserialization protocol to minimize the risk of exploitation. Avoid using the HashMap object in the affected API endpoint until the issue is resolved.