Apache APISIX Vulnerability

Apache APISIX Vulnerability

A critical* Apache APISIX vulnerability with a CVSS V3.1 Score of 9.8 has been released.

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Affected Systems

The following servers/systems are affected by this vulnerability;

• Apache batch-requests plugin and admin API

IoC’s

-

Recommended Solution(s)

The following mitigations have been suggested;
1. Explicitly configure the enabled plugins in “conf/config.yaml”, ensure “batch-requests” is disabled. (Or just comment out “batch-requests” in “conf/config-default.yaml”)
Or
2. Upgrade to 2.10.4 or 2.12.1.

CVE / CWE

CVE-2022-24112

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2022-24112
• https://www.openwall.com/lists/oss-security/2022/02/11/3
• https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.