Apache Dubbo Consumer Risks: The Road Not Taken

Apache Dubbo is a popular Java open-source RPC framework designed for microservices-based and distributed systems. It provides a robust communication protocol that allows services to exchange data across different networked nodes, enabling the creation of scalable, flexible, and reliable applications. However, vulnerabilities have been discovered in the framework, mainly affecting the consumer end rather than the provider. Sonar's Vulnerability Research Team has found two security issues in Apache Dubbo that could result in arbitrary object deserialization and eventually lead to remote code execution (RCE). Despite not being classified as vulnerabilities by Apache, these findings have led to updates in the documentation for users to better protect themselves.