CVE-2023-23638

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions 2.7.21 and prior versions Apache Dubbo versions 3.0.13 and prior versions Apache Dubbo versions 3.1.5 and prior versions

Description A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. The issue is related to the mechanism of deserialization in the Apache Dubbo RPC framework, allowing a remote attacker to execute arbitrary code.

Recommendations For Apache Dubbo versions 2.7.21 and prior versions, update to a version later than 2.7.21. For Apache Dubbo versions 3.0.13 and prior versions, update to a version later than 3.0.13. For Apache Dubbo versions 3.1.5 and prior versions, update to a version later than 3.1.5. As a temporary workaround, consider disabling the dubbo generic invoke functionality until a patch is available. Restrict access to the vulnerable RPC endpoint to minimize the risk of exploitation.