Security Announcements on Apache Dubbo

Serialization Security

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Dubbo supports serialization protocol extensions, allowing users to enable any serialization protocol based on this mechanism theoretically. This brings great flexibility but also potential security risks. Data deserialization is the most susceptible to attacker exploitation, allowing them to execute RCE attacks, steal or damage server-side data. Before switching or implementing a serialization protocol, users should thoroughly research the security guarantees of the target protocol and its implementation and set up appropriate security measures (e.g., black/whitelists) in advance. Dubbo cannot directly ensure the security of the target serialization mechanism.

RPC Protocol Security

Mon, 01 Jan 0001 00:00:00 +0000

Dubbo supports the extension of RPC protocols, allowing users to enable any RPC protocol based on this extension mechanism in theory. This provides great flexibility but also comes with potential security risks.

The following serialization protocols are provided in the official version of Dubbo 2.7:

Dubbo
RMI
Hessian
Http / Rest
Webservice
Thrift
gRPC
……

Starting from Dubbo 3.0, only the following serialization protocols are supported by default:

Dubbo
Triple / gRPC
Http / Rest

Triple, gRPC, Http, and Rest protocols are all built on the HTTP protocol, which can strictly distinguish the format of requests, such as headers being plain text, avoiding risks like RCE when reading tokens. The Dubbo protocol, due to its direct TCP binary design, uses serialization protocols for most fields except specific ones, so enabling risky serialization protocols can still pose RCE risks. The RMI protocol, based on Java serialization, poses RCE risks. The Hessian protocol, based on Hessian serialization, poses RCE risks especially since the default Hessian protocol (not the Dubbo-shaded Hessian-Lite) cannot configure blacklists and whitelists and has no default blacklist.

Registry Center Security

Mon, 01 Jan 0001 00:00:00 +0000

Dubbo supports the extension of registry centers, theoretically allowing users to enable any registry center based on this extension mechanism. This brings great flexibility but also raises awareness of potential security risks.

The following registry centers are provided in the official version of Dubbo 2.7:

Zookeeper
Redis
Nacos
Etcd
Consul
……

Starting from Dubbo 3.0, only the following registry centers are supported by default:

Zookeeper
Nacos

For registry centers, Dubbo can only fully trust the data they push. Therefore, if there are security vulnerabilities in the registry center, it may lead to malicious registration or data being maliciously pushed, causing service attacks. To ensure the security of the registry center, Dubbo officially recommends:

Dubbo Admin Security

Mon, 01 Jan 0001 00:00:00 +0000

To facilitate the use of Dubbo, the official Dubbo team provides the Dubbo Admin console to manage Dubbo applications.

Risks

Dubbo Admin by default has the permission to query and invoke the entire cluster, so it must be used more cautiously in a production environment. Additionally, to reduce the risk of arbitrary access to Dubbo Admin, a simple authentication mechanism is provided. To make Dubbo Admin more secure, please refer to the following documentation.

Log4j Vulnerability Impact

Mon, 01 Jan 0001 00:00:00 +0000

Recently, the mainstream logging component log4j2 exposed a security vulnerability CVE-2021-44228.

Below is a summary of the impact of vulnerability CVE-2021-44228 on the Apache Dubbo framework and user response guidelines.

Dubbo Impact Range

This vulnerability does not affect the security use of the Dubbo framework.

Dubbo itself does not strongly depend on the log4j2 framework, nor does it bring log4j2 into the business project through dependencies. Therefore, users using Dubbo versions 2.7.x, 3.0.x, etc., do not need to forcibly upgrade the Dubbo version.