PT-2023-7948 · Apache · Apache Dubbo

Bofei Chen

Published

2023-12-15

Updated

2023-12-21

CVE-2023-29234

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions 3.1.0 through 3.1.10 Apache Dubbo versions 3.2.0 through 3.2.4

Description A deserialization vulnerability exists when decoding a malicious package, which can allow a remote attacker to execute arbitrary code or cause a denial of service. The issue is related to shortcomings in the deserialization mechanism of the Apache Dubbo RPC framework.

Recommendations For Apache Dubbo versions 3.1.0 through 3.1.10, upgrade to the latest version to fix the issue. For Apache Dubbo versions 3.2.0 through 3.2.4, upgrade to the latest version to fix the issue. As a temporary workaround, consider restricting the decoding of packages to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2023-09032

CVE-2023-29234

GHSA-6X49-W35H-WQRJ

Affected Products

Apache Dubbo

PT-2023-7948 · Apache · Apache Dubbo

CVE-2023-29234

Weakness Enumeration

Related Identifiers

Affected Products

References · 15