I. Overview

Apache APISIX has officially released a security notice to disclose that the default token of the Apache APISIX's Admin API has security vulnerabilities (CVE-2020-13945). Apache APISIX is a dynamic, real-time, high-performance Cloud-Native API gateway. If a user used the default token and allow any IP to access Admin API, attackers can use the default token to access APISIX and perform malicious operations.

If you are an Apache APISIX user, check your system and implement timely security hardening.

References:

https://github.com/apache/apisix/pull/2244

II. Severity

Severity: Important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

APISIX 1.2, 1.3, 1.4, 1.5

Secure versions:

APISIX 2.0

IV. Vulnerability Handling

This vulnerability has been fixed in newly released versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://apisix.apache.org/downloads/

If upgrade is not an option, you can take the following workarounds to mitigate risks:

1. Change the admin_key setting in Apache APISIX's configuration file conf/config.yaml to disable the default token.

2. Alternatively, you can disable the Apache APISIX Admin API function or add restrictions on IP address access.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.