CVE-2020-11995
📋 TL;DR
CVE-2020-11995 is a critical deserialization vulnerability in Apache Dubbo that allows remote attackers to execute arbitrary code by sending specially crafted serialized objects. This affects Dubbo 2.7.5 and earlier versions when using the default Hessian2 serialization protocol. Organizations running vulnerable Dubbo services are at risk of complete system compromise.
💻 Affected Systems
- Apache Dubbo
📦 What is this software?
Dubbo by Apache
Dubbo by Apache
Dubbo by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system takeover, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote command execution allowing attackers to run arbitrary commands, install malware, or pivot to other systems in the network.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though exploitation could still occur.
🎯 Exploit Status
Exploitation requires sending specially crafted serialized objects to Dubbo services. Multiple public PoCs exist demonstrating RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Dubbo 2.6.9 or 2.7.8
Vendor Advisory: https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E
Restart Required: Yes
Instructions:
1. Identify all Dubbo instances. 2. Backup configurations and data. 3. Upgrade to Dubbo 2.6.9 or 2.7.8. 4. Restart Dubbo services. 5. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Disable Hessian2 Serialization
allSwitch to a different serialization protocol if possible
Modify dubbo.properties or application configuration to use different serialization (e.g., dubbo.protocol.serialization=fastjson)
Network Segmentation
linuxRestrict access to Dubbo services using firewall rules
iptables -A INPUT -p tcp --dport 20880 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 20880 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Dubbo service exposure
- Deploy WAF or RASP solutions with deserialization attack detection
🔍 How to Verify
Check if Vulnerable:
Check Dubbo version: grep -r 'dubbo.version' in application files or check pom.xml for <version>2.7.5</version> or lowerCheck Version:
find /path/to/app -name "*.jar" -exec jar tf {} \; | grep dubbo | head -5Verify Fix Applied:
Verify version is 2.6.9 or 2.7.8 or higher: java -jar your-app.jar --version or check application logs📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Unexpected class loading
- Suspicious network connections from Dubbo services
Network Indicators:
- Malformed serialized objects in Dubbo protocol traffic
- Unexpected outbound connections from Dubbo hosts
SIEM Query:
source="dubbo.log" AND ("deserialization" OR "ClassNotFoundException" OR "Malformed")