I. Overview

HUAWEI CLOUD is aware of an unauthorized access vulnerability (CVE-2020-11710), disclosed by a security team in China, in docker-kong (for Kong). Kong is one of the most popular open-source, cloud-native API gateway. Kong uses Kong Admin REST API (RESTful API endpoints) to manage Kong Proxy. However, this management entry does not have the authentication capability (Kong Enterprise supports role control and authentication for Kong Admin REST API). As a result, attackers can control the Kong API gateway with unauthorized access to Kong Admin REST API, thereby penetrating the intranet.

If you are a Kong user, check your system and implement timely security hardening.

Reference links:

https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw

https://github.com/Kong/docker-kong/commit/dfa095cadf7e8309155be51982d8720daf32e31c

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

Kong 2.0.3 and earlier

IV. Vulnerability Handling

Disable the external opening function of ports 8001 and 8444, default listening ports of Kong Admin REST API, or configure security groups to open to trusted objects.

If you are a HUAWEI CLOUD WAF user, you can customize WAF policies to control URL access, and thereby avoid risks on the live network. For details about how to configure WAF policies, visit:

https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0010.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.