CVE-2020-1948 | Apache Dubbo ProviderĬÈÏ·´ÐòÁл¯Ô¶³Ì´úÂëÖ´Ðзì϶¹«¸æ

°ä²¼¹¦·ò 2020-06-23

0x00 ·ì϶¸ÅÊö


CVE   ID

CVE-2020-1948

ʱ    ¼ä

2020-06-23

Àà    ÐÍ

RCE

µÈ    ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò

Dubbo 2.7.0 - 2.7.6

Dubbo 2.6.0 - 2.6.7

Dubbo 2.5.x £¨¹Ù·½²»ÔÙÊØ»¤£©



0x01 ·ì϶ÏêÇé


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾



Dubbo ÊÇ°¢Àï°Í°Í¹«Ë¾¿ªÔ´µÄÒ»¿î¸ß»úÄÜ¡¢ÇáÁ¿¼¶Java RPC¿ò¼Ü £¬ËüÌṩÁËÈý´óÖ÷ÌâÄÜÁ¦:ÃæÏò½Ó¿ÚµÄÔ¶³Ì²½ÖèŲÓá¢ÖÇÄÜÈÝ´íºÍ¸ºÔØƽºâ,ÒÔ¼°×Ô¶¯×¢²á·þÎñ¡£Ä¿Ç°Òѱ»¶à¼Ò´óÐÍÆóÒµÍøÂçÑ¡È¡ £¬Éæ¼°°¢Àï°Í°Í¼¯ÍÅ¡¢ÖйúÈËÊÙ¡¢ÖйúµçÐÅ¡¢µ±µ±Íø¡¢µÎµÎ³öÐÓ×¢º£¶ûºÍÖйú¹¤ÉÌÒøÐеÈ¡£


2020Äê6ÔÂ23ÈÕApache¹Ù·½°ä²¼¹«¸æ £¬½¨¸´ÁËÒ»¸öApache DubboÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2020-1948£©¡£¸Ã·ì϶ԴÓÚApache Dubbo Provider´æÔÚ·´ÐòÁл¯·ì϶ £¬¹¥»÷ÕßÄܹ»·¢ËÍ´øÓÐÎÞ·¨Ê¶´ËÍâ·þÎñÃû»ò²½ÖèÃû¼°Ä³Ð©¶ñÒâ²ÎÊý¸ºÔصÄRPCÒªÇó £¬µ±¶ñÒâ²ÎÊý±»·´ÐòÁл¯Ê±½«µ¼Ö¶ñÒâ´úÂëÖ´ÐС£


¸Ã·ì϶ӰÏìËùÓÐʹÓÃ2.7.6»ò¸üµÍ°æ±¾µÄDubboÓû§ £¬·ì϶µÈ¼¶Îª¸ßΣ £¬GA»Æ½ð¼×VSRC½¨Òé¿í´óÓû§½øÐÐ×ʲú×Ô²é £¬ÊµÊ±×°Öò¹¶¡¡£


0x02 ´ëÖý¨Òé


¹Ù·½ÒÑ°ä²¼×îа汾 £¬ÏÂÔصØÖ·£º

https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7


Éý¼¶²Î¿¼Îĵµ£º

http://dubbo.apache.org/zh-cn/docs/user/versions/version-270.html

×¢£ºÎªÔ¤·À³öÏÖÒâ±í½¨ÒéÉý¼¶Ç°×öºÃÊý¾Ý±¸·Ý¡£


0x03 ÓйØÐÂÎÅ


https://meterpreter.org/cve-2020-1948-apache-dubbo-remote-code-execution-vulnerability-alert/


0x04 ²Î¿¼Á´½Ó


https://lists.apache.org/thread.html/rd4931b5ffc9a2b876431e19a1bffa2b4c14367260a08386a4d461955%40%3Cdev.dubbo.apache.org%3E


0x05 ¹¦·òÏß


2020-06-23 Apache¹Ù·½°ä²¼¹«¸æ

2020-06-23 VSRC°ä²¼·ì϶¹«¸æ


GA»Æ½ð¼×¡¤(ÖйúÇø)¹Ù·½ÍøÕ¾