Aperçu
Apache APISIX with default configuration contains a critical remote code execution vulnerability in the batch-requests plugin. The vulnerability allows attackers to bypass IP restrictions through crafted batch requests, enabling unauthorized execution of malicious code on affected systems. La vulnérabilité a été divulguée le February 11, 2022. CISA a identifié CVE-2022-24112 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The batch-requests plugin in Apache APISIX allows users to send multiple HTTP requests in a single batch operation. However, the plugin contains a vulnerability that fails to properly validate and sanitize the batch requests. This flaw allows attackers to bypass IP restriction checks configured in APISIX by crafting specially formatted batch requests. By exploiting this bypass, attackers can send requests that would normally be blocked by IP whitelisting/blacklisting rules, potentially gaining access to restricted endpoints and executing arbitrary code if those endpoints are exploitable.
La vulnérabilité est classifiée comme CWE-347 (Improper Verification of Cryptographic Signature) , CWE-863 (Incorrect Authorization) etCWE-918 (Server-Side Request Forgery (SSRF)) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows remote attackers to bypass IP-based access controls and potentially execute arbitrary code on the affected APISIX server. This could lead to complete system compromise, unauthorized access to backend services, data exfiltration, lateral movement within the network, and denial of service. Given that APISIX functions as an API gateway, compromise could affect all services routed through it.
Mitigation et contournements
Upgrade Apache APISIX to version 2.12.4 or later. Users should prioritize this update as the vulnerability is critical and actively exploited. After patching, restart all APISIX instances to ensure the fixed version is running. Les versions suivantes incluent les correctifs nécessaires : 2.12.4, 2.13.0 and later.
Comme contournements temporaires : disable the batch-requests plugin if it is not required for your deployment. this can be done by removing or commenting out the plugin configuration in the apisix configuration file.; implement network-level access controls and a web application firewall (waf) to restrict access to the apisix instance to only trusted sources. while this doesn't fix the underlying vulnerability, it reduces the attack surface., et if using apisix behind a reverse proxy, configure the proxy to validate and sanitize batch requests before forwarding them to apisix..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
