Vulnerability-Lookup

CNVD-2020-34468

Vulnerability from cnvd - Published: 2020-06-24

Title

Apache Dubbo Provider远程代码执行漏洞

Description

Apache Dubbo是一种基于Java的高性能RPC框架。 Apache Dubbo Provider存在远程代码执行漏洞。攻击者可以发送未经验证的服务名或方法名的RPC请求，同时配合附加恶意的参数负载。当恶意参数被反序列化时，将执行恶意代码。

Severity

高

Patch Name

Apache Dubbo Provider远程代码执行漏洞的补丁

Patch Description

Apache Dubbo是一种基于Java的高性能RPC框架。 Apache Dubbo Provider存在远程代码执行漏洞。攻击者可以发送未经验证的服务名或方法名的RPC请求，同时配合附加恶意的参数负载。当恶意参数被反序列化时，将执行恶意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

升级至Apache Dubbo 2.7.7或更高版本，同时不要对外开启telnet功能，CNVD建议用户立即升级至最新版本： https://www.apache.org/

Reference

https://xlab.tencent.com/cn/2020/06/23/xlab-20-001/?from=timeline

Impacted products

Name
['Apache Dubbo 2.7.0 ~ 2.7.6', 'Apache Dubbo 2.6.0 ~ 2.6.7', 'Apache Dubbo 2.5.x 所有版本 (官方不再提供支持)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-1948"
    }
  },
  "description": "Apache Dubbo\u662f\u4e00\u79cd\u57fa\u4e8eJava\u7684\u9ad8\u6027\u80fdRPC\u6846\u67b6\u3002\n\nApache Dubbo Provider\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u53d1\u9001\u672a\u7ecf\u9a8c\u8bc1\u7684\u670d\u52a1\u540d\u6216\u65b9\u6cd5\u540d\u7684RPC\u8bf7\u6c42\uff0c\u540c\u65f6\u914d\u5408\u9644\u52a0\u6076\u610f\u7684\u53c2\u6570\u8d1f\u8f7d\u3002\u5f53\u6076\u610f\u53c2\u6570\u88ab\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u5c06\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5347\u7ea7\u81f3Apache Dubbo 2.7.7\u6216\u66f4\u9ad8\u7248\u672c\uff0c\u540c\u65f6\u4e0d\u8981\u5bf9\u5916\u5f00\u542ftelnet\u529f\u80fd\uff0cCNVD\u5efa\u8bae\u7528\u6237\u7acb\u5373\u5347\u7ea7\u81f3\u6700\u65b0\u7248\u672c\uff1a\r\nhttps://www.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-34468",
  "openTime": "2020-06-24",
  "patchDescription": "Apache Dubbo\u662f\u4e00\u79cd\u57fa\u4e8eJava\u7684\u9ad8\u6027\u80fdRPC\u6846\u67b6\u3002\r\n\r\nApache Dubbo Provider\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u53d1\u9001\u672a\u7ecf\u9a8c\u8bc1\u7684\u670d\u52a1\u540d\u6216\u65b9\u6cd5\u540d\u7684RPC\u8bf7\u6c42\uff0c\u540c\u65f6\u914d\u5408\u9644\u52a0\u6076\u610f\u7684\u53c2\u6570\u8d1f\u8f7d\u3002\u5f53\u6076\u610f\u53c2\u6570\u88ab\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u5c06\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Dubbo Provider\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Dubbo 2.7.0 ~ 2.7.6",
      "Apache Dubbo 2.6.0 ~ 2.6.7",
      "Apache Dubbo 2.5.x \u6240\u6709\u7248\u672c (\u5b98\u65b9\u4e0d\u518d\u63d0\u4f9b\u652f\u6301)"
    ]
  },
  "referenceLink": "https://xlab.tencent.com/cn/2020/06/23/xlab-20-001/?from=timeline",
  "serverity": "\u9ad8",
  "submitTime": "2020-06-24",
  "title": "Apache Dubbo Provider\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2020-1948 (GCVE-0-2020-1948)

Vulnerability from cvelistv5 – Published: 2020-07-14 13:11 – Updated: 2024-08-04 06:53

Summary

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Severity ?

No CVSS data available.

CWE

Remote Code Execution through Deserialization

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread.html/rbaa41711b3e…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Apache Dubbo	Affected: Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:53:59.966Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Dubbo",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution through Deserialization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-14T13:11:31.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-1948",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Dubbo",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution through Deserialization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-1948",
    "datePublished": "2020-07-14T13:11:31.000Z",
    "dateReserved": "2019-12-02T00:00:00.000Z",
    "dateUpdated": "2024-08-04T06:53:59.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-34468

CVE-2020-1948 (GCVE-0-2020-1948)

Tags

Sightings

Nomenclature