Service Notices
Unauthorized Access Vulnerability in Kong Admin REST API (CVE-2020-11710)
Apr 24, 2020 GMT+08:00
I. Overview
HUAWEI CLOUD is aware of an unauthorized access vulnerability (CVE-2020-11710), disclosed by a security team in China, in docker-kong (for Kong). Kong is one of the most popular open-source, cloud-native API gateway. Kong uses Kong Admin REST API (RESTful API endpoints) to manage Kong Proxy. However, this management entry does not have the authentication capability (Kong Enterprise supports role control and authentication for Kong Admin REST API). As a result, attackers can control the Kong API gateway with unauthorized access to Kong Admin REST API, thereby penetrating the intranet.
If you are a Kong user, check your system and implement timely security hardening.
Reference links:
https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw
https://github.com/Kong/docker-kong/commit/dfa095cadf7e8309155be51982d8720daf32e31c
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected Versions:
Kong 2.0.3 and earlier
IV. Vulnerability Handling
Disable the external opening function of ports 8001 and 8444, default listening ports of Kong Admin REST API, or configure security groups to open to trusted objects.
If you are a HUAWEI CLOUD WAF user, you can customize WAF policies to control URL access, and thereby avoid risks on the live network. For details about how to configure WAF policies, visit:
https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0010.html
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.