Overview
Apache APISIX with default configuration contains a critical remote code execution vulnerability in the batch-requests plugin. The vulnerability allows attackers to bypass IP restrictions through crafted batch requests, enabling unauthorized execution of malicious code on affected systems. The vulnerability was disclosed on February 11, 2022. CISA has identified CVE-2022-24112 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The batch-requests plugin in Apache APISIX allows users to send multiple HTTP requests in a single batch operation. However, the plugin contains a vulnerability that fails to properly validate and sanitize the batch requests. This flaw allows attackers to bypass IP restriction checks configured in APISIX by crafting specially formatted batch requests. By exploiting this bypass, attackers can send requests that would normally be blocked by IP whitelisting/blacklisting rules, potentially gaining access to restricted endpoints and executing arbitrary code if those endpoints are exploitable.
The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature) , CWE-863 (Incorrect Authorization) andCWE-918 (Server-Side Request Forgery (SSRF)) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows remote attackers to bypass IP-based access controls and potentially execute arbitrary code on the affected APISIX server. This could lead to complete system compromise, unauthorized access to backend services, data exfiltration, lateral movement within the network, and denial of service. Given that APISIX functions as an API gateway, compromise could affect all services routed through it.
Mitigation and workarounds
Upgrade Apache APISIX to version 2.12.4 or later. Users should prioritize this update as the vulnerability is critical and actively exploited. After patching, restart all APISIX instances to ensure the fixed version is running. The following versions include the necessary fixes: 2.12.4, 2.13.0 and later.
As temporary workarounds: disable the batch-requests plugin if it is not required for your deployment. this can be done by removing or commenting out the plugin configuration in the apisix configuration file.; implement network-level access controls and a web application firewall (waf) to restrict access to the apisix instance to only trusted sources. while this doesn't fix the underlying vulnerability, it reduces the attack surface., and if using apisix behind a reverse proxy, configure the proxy to validate and sanitize batch requests before forwarding them to apisix..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
