CVE-2020-1948 | Apache Dubbo ProviderĬÈÏ·´ÐòÁл¯Ô¶³Ì´úÂëÖ´ÐÐÎó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-06-23

0x00 Îó²î¸ÅÊö


CVE   ID

CVE-2020-1948

ʱ    ¼ä

2020-06-23

Àà    ÐÍ

RCE

µÈ    ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£

Dubbo 2.7.0 - 2.7.6

Dubbo 2.6.0 - 2.6.7

Dubbo 2.5.x £¨¹Ù·½²»ÔÙά»¤£©



0x01 Îó²îÏêÇé


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨



Dubbo ÊÇ°¢Àï°Í°Í¹«Ë¾¿ªÔ´µÄÒ»¿î¸ßÐÔÄÜ¡¢ÇáÁ¿¼¶Java RPC¿ò¼Ü£¬£¬£¬£¬£¬ËüÌṩÁËÈý´ó½¹µãÄÜÁ¦:ÃæÏò½Ó¿ÚµÄÔ¶³ÌÒªÁìŲÓá¢ÖÇÄÜÈÝ´íºÍ¸ºÔØƽºâ,ÒÔ¼°×Ô¶¯×¢²áЧÀÍ¡£¡£¡£¡£ÏÖÔÚÒѱ»¶à¼Ò´óÐÍÆóÒµÍøÂç½ÓÄÉ£¬£¬£¬£¬£¬Éæ¼°°¢Àï°Í°Í¼¯ÍÅ¡¢ÖйúÈËÊÙ¡¢ÖйúµçÐÅ¡¢µ±µ±Íø¡¢µÎµÎ³öÐС¢º£¶ûºÍÖйú¹¤ÉÌÒøÐеÈ¡£¡£¡£¡£


2020Äê6ÔÂ23ÈÕApache¹Ù·½Ðû²¼Í¨¸æ£¬£¬£¬£¬£¬ÐÞ¸´ÁËÒ»¸öApache DubboÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¨CVE-2020-1948£©¡£¡£¡£¡£¸ÃÎó²îÔ´ÓÚApache Dubbo Provider±£´æ·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔ·¢ËÍ´øÓÐÎÞ·¨Ê¶±ðµÄЧÀÍÃû»òÒªÁìÃû¼°Ä³Ð©¶ñÒâ²ÎÊý¸ºÔصÄRPCÇëÇ󣬣¬£¬£¬£¬µ±¶ñÒâ²ÎÊý±»·´ÐòÁл¯Ê±½«µ¼Ö¶ñÒâ´úÂëÖ´ÐС£¡£¡£¡£


¸ÃÎó²îÓ°ÏìËùÓÐʹÓÃ2.7.6»ò¸üµÍ°æ±¾µÄDubboÓû§£¬£¬£¬£¬£¬Îó²îÆ·¼¶Îª¸ßΣ£¬£¬£¬£¬£¬¼øºÚµ£±£ÍøVSRC½¨Òé¿í´óÓû§¾ÙÐÐ×ʲú×Բ飬£¬£¬£¬£¬ÊµÊ±×°Öò¹¶¡¡£¡£¡£¡£


0x02 ´¦Öóͷ£½¨Òé


¹Ù·½ÒÑÐû²¼×îа汾£¬£¬£¬£¬£¬ÏÂÔصص㣺

https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7


Éý¼¶²Î¿¼Îĵµ£º

http://dubbo.apache.org/zh-cn/docs/user/versions/version-270.html

×¢£ºÎª±ÜÃâ·ºÆðÒâÍ⽨ÒéÉý¼¶Ç°×öºÃÊý¾Ý±¸·Ý¡£¡£¡£¡£


0x03 Ïà¹ØÐÂÎÅ


https://meterpreter.org/cve-2020-1948-apache-dubbo-remote-code-execution-vulnerability-alert/


0x04 ²Î¿¼Á´½Ó


https://lists.apache.org/thread.html/rd4931b5ffc9a2b876431e19a1bffa2b4c14367260a08386a4d461955%40%3Cdev.dubbo.apache.org%3E


0x05 ʱ¼äÏß


2020-06-23 Apache¹Ù·½Ðû²¼Í¨¸æ

2020-06-23 VSRCÐû²¼Îó²îͨ¸æ


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨