1. Summary
| Vulnerability Name | Apache APISIX Remote Code Execution Vulnerability (CVE-2022-24112) |
|---|---|
| Release Date | February 25, 2022 |
| Component Name | Apache APISIX |
| Affected Versions | Apache APISIX < 2.10.4 2.11.0 ≤ Apache APISIX < 2.12.1 |
| Vulnerability Type | Remote Code Execution |
| Severity | CVSS v3 Base Score 9.8 (Critical) |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2022-24112
2.1 Introduction
Apache APISIX is a dynamic, real-time, high-performance API Gateway. APISIX API Gateway provides traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more.
2.2 Summary
On Feb 25, 2022, Sangfor FarSight Labs received a notice about the Apache APISIX Remote Code Execution vulnerability (CVE-2022-24112), classified as critical with a CVSS score of 9.8.
This vulnerability is caused by lack of identity authentication. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution, allowing attackers to gain root or admin access.
The impact is lower when the admin key is changed or the port of Admin API is changed to a port different from the data panel, but there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. However, this check can be bypassed due to a bug in the code.
CVE-2022-24112 was added to CISA's Known Exploited Vulnerabilities Catalog on August 25, 2022.
Figure 1. Exploits of CVE-2022-24112 detected by Sangfor from October 28 to November 26, 2022
For the most up-to-day exploit statistics, please visit the following page (registration required).
3. Affected Versions
Apache APISIX < 2.10.4
2.11.0 ≤ Apache APISIX < 2.12.1
4. Solutions
4.1 Remediation Solution
4.1.1 Apache Solution
Users can update their affected products to the latest version to fix the vulnerability: https://apisix.apache.org/downloads/
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Apache APISIX Remote Code Execution vulnerability (CVE-2022-24112):
- Sangfor Cyber Command (Network Detection and Response)
- Sangfor Cyber Guardian (Managed Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Apache APISIX Remote Code Execution vulnerability (CVE-2022-24112):
5. Timeline
On Feb 25, 2022, Sangfor FarSight Labs received a notice about the Apache APISIX Remote Code Execution vulnerability (CVE-2022-24112).
On Feb 25, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
6. Reference
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94
https://nvd.nist.gov/vuln/detail/cve-2022-24112
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
