You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by ju...@apache.org on 2022/02/12 04:09:28 UTC

[apisix-website] branch master updated: docs: add CVE-2022-24112 blog (#878)

This is an automated email from the ASF dual-hosted git repository.

juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git


The following commit(s) were added to refs/heads/master by this push:
     new 93ca4ae  docs: add CVE-2022-24112 blog (#878)
93ca4ae is described below

commit 93ca4ae50279738e1dbc9c0549067bf4a493c482
Author: Sylvia <39...@users.noreply.github.com>
AuthorDate: Sat Feb 12 12:07:55 2022 +0800

    docs: add CVE-2022-24112 blog (#878)
---
 website/blog/2022/02/11/cve-2022-24112.md          | 49 ++++++++++++++++++++++
 .../2022/02/11/cve-2022-24112.md                   | 49 ++++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/website/blog/2022/02/11/cve-2022-24112.md b/website/blog/2022/02/11/cve-2022-24112.md
new file mode 100644
index 0000000..41bb04e
--- /dev/null
+++ b/website/blog/2022/02/11/cve-2022-24112.md
@@ -0,0 +1,49 @@
+---
+title: "Apache APISIX Risk Notice for Rewriting X-REAL-IP Header (CVE-2022-24112)"
+keywords: 
+- Risk Notice
+- Header
+- IP restrictions
+- CHAITIN
+description: In versions prior to Apache APISIX 2.12.1, there is a risk of rewriting X-REAL-IP header after enabling the Apache APISIX `batch- requests` plug-in. Now the processing information will be announced.
+tags: [Security]
+---
+
+> In versions prior to Apache APISIX 2.12.1, there is a risk of rewriting X-REAL-IP header after enabling the Apache APISIX `batch- requests` plug-in. Now the processing information will be announced.
+
+<!--truncate-->
+
+## Problem Description
+
+In versions of Apache APISIX prior to 2.12.1 (excluding 2.12.1 and 2.10.4), there is a risk of rewriting the X-REAL-IP header when the Apache APISIX batch-requests plugin is enabled.
+
+This risk leads to two problems:
+
+- An attacker bypasses the IP restrictions on the Apache APISIX data plane via the batch-requests plugin. For example, bypassing IP black and white list restrictions.
+- If the user uses the default Apache APISIX configuration (Admin API enabled, with the default Admin Key and no additional admin port assigned), an attacker can invoke the Admin API via the batch-requests plug-in.
+
+## Affected Versions
+
+- All versions of Apache APISIX between 1.3 ~ 2.12.1 (excluding 2.12.1)
+- All LTS versions of Apache APISIX between 2.10.0 ~ 2.10.4 (excluding 2.10.4)
+
+## Solution
+
+- This issue has been resolved in versions 2.12.1 and 2.10.4, please update to the relevant version as soon as possible.
+- In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
+
+## Vulnerability details
+
+Severity:High
+
+Vulnerability public date: February 11, 2022
+
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2022-24112
+
+## Contributor Profile
+
+This vulnerability was discovered by CHAITIN in the Real World CTF and reported to the Apache Software Foundation by Sauercloud. Thank you for your contributions to the Apache APISIX community.
+
+![CHAITIN](https://static.apiseven.com/202108/1644480307386-91e48731-b872-480f-8a24-0de7e43d00a9.png)
+
+![Sauercloud](https://static.apiseven.com/202108/1644632196291-6b9bca14-7893-47c7-9f93-99c28ff54044.png)
diff --git a/website/i18n/zh/docusaurus-plugin-content-blog/2022/02/11/cve-2022-24112.md b/website/i18n/zh/docusaurus-plugin-content-blog/2022/02/11/cve-2022-24112.md
new file mode 100644
index 0000000..f84635b
--- /dev/null
+++ b/website/i18n/zh/docusaurus-plugin-content-blog/2022/02/11/cve-2022-24112.md
@@ -0,0 +1,49 @@
+---
+title: "Apache APISIX 存在改写 X-REAL-IP header 的风险公告(CVE-2022-24112)"
+keywords: 
+- 风险公告
+- Header
+- IP 限制
+- 长亭科技
+description: 在 Apache APISIX 2.12.1 之前的版本中,启用 Apache APISIX `batch-requests` 插件之后会存在改写 X-REAL-IP header 风险,现将处理信息进行相关公告。
+tags: [Security]
+---
+
+> 在 Apache APISIX 2.12.1 之前的版本中,启用 Apache APISIX `batch-requests` 插件之后会存在改写 X-REAL-IP header 风险,现将处理信息进行相关公告。
+
+<!--truncate-->
+
+## 问题描述
+
+在 Apache APISIX 2.12.1 之前的版本中(不包含 2.12.1 和 2.10.4),启用 Apache APISIX `batch-requests` 插件之后,会存在改写 X-REAL-IP header 风险。
+
+该风险会导致以下两个问题:
+
+- 攻击者通过 `batch-requests` 插件绕过 Apache APISIX 数据面的 IP 限制。如绕过 IP 黑白名单限制。
+- 如果用户使用 Apache APISIX 默认配置(启用 Admin API ,使用默认 Admin Key 且没有额外分配管理端口),攻击者可以通过 `batch-requests` 插件调用 Admin API 。
+
+## 影响版本
+
+- Apache APISIX 1.3 ~ 2.12.1  之间的所有版本(不包含 2.12.1 )
+- Apache APISIX 2.10.0 ~ 2.10.4 LTS 之间的所有版本 (不包含 2.10.4)
+
+## 解决方案
+
+- 该问题目前已在 2.12.1 和 2.10.4 版本中得到解决,请尽快更新至相关版本。
+- 在受影响的 Apache APISIX 版本中,可以对 `conf/config.yaml` 和 `conf/config-default.yaml` 文件显式注释掉 `batch-requests`,并且重启 Apache APISIX 即可规避此次风险。
+
+## 漏洞详情
+
+漏洞优先级:高
+
+漏洞公开时间:2022 年 2 月 11 日
+
+CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2022-24112
+
+## 贡献者简介
+
+该漏洞由长亭科技在 Real World CTF 中发现,并由 Sauercloud 上报给 Apache 软件基金会。感谢各位对 Apache APISIX 社区的贡献。
+
+![长亭科技](https://static.apiseven.com/202108/1644480307386-91e48731-b872-480f-8a24-0de7e43d00a9.png)
+
+![Sauercloud](https://static.apiseven.com/202108/1644632196291-6b9bca14-7893-47c7-9f93-99c28ff54044.png)