Apache APISIX Remote Code Execution Vulnerability (CVE-2022-24112)

Feb 17, 2022 GMT+08:00

I.Overview

Apache APISIX has released a remote code execution vulnerability (CVE-2022-24112) in versions earlier than Apache APISIX 2.12.1. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction (for example, IP whitelist or IP blacklist) of Apache APISIX's data panel. With the default configuration of Apache APISIX (Admin API is enabled, the default API key is used, and no additional management ports are allocated), an attacker can abuse the batch-requests plugin to call the Admin API and enable remote code execution.

Apache APISIX is an open-source API gateway. If you are an Apache APISIX user, check your versions and implement timely security hardening.

Reference:

https://apisix.apache.org/blog/2022/02/11/cve-2022-24112/

https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

All versions of Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)

All LTS versions of Apache APISIX between 2.10.0 and 2.10.4 (excluding 2.10.4)

Secure versions:

Apache APISIX 2.12.1

Apache APISIX 2.10.4 (LTS versions)

IV. Vulnerability Handling

This vulnerability has been fixed in an official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/apisix/releases/tag/2.12.1 

https://github.com/apache/apisix/releases/tag/2.10.4

If the upgrade cannot be performed in a timely manner, you are advised by the official website of Apache APISIX to explicitly comment out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restart Apache APISIX.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.