Apache APISIX has issued a security alert, revealing a remote code execution vulnerability (CVE-2022-24112) in versions prior to 2.12.1.
Apache APISIX is a high-performance API gateway that is dynamic and real-time. APISIX offers load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and other traffic management functions.
The vulnerability states “In versions of Apache APISIX prior to 2.12.1 (excluding 2.12.1 and 2.10.4), there is a risk of rewriting the X-REAL-IP header when the Apache APISIX batch-requests plugin is enabled”. Successful exploitation of the vulnerability may allow a remote attacker to bypass the IP restrictions on the Apache APISIX data plane or invoke the admin API.
An attacker might utilize the batch-requests plugin to send requests that bypass the admin API’s IP restriction. Apache APISIX’s default setup (with default API key) is vulnerable to remote code execution. The impact is reduced when the admin key is changed, or the Admin API port is changed to a port other than the data panel port. However, there is still a chance of circumventing Apache APISIX’s data panel’s IP restriction.
- All versions of Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1).
- All LTS versions of Apache APISIX between 2.10.0 and 2.10.4 (excluding 2.10.4).
- Apache has released Apache APISIX version 2.12.1 and 2.10.4 addressing the vulnerability. Customers are advised to update to the latest version as soon as possible.
- In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
For more information, please visit the Apache security advisory.
Qualys customers can scan their devices with QID 730361 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.