External risk intelligence

Apache APISIX Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-24112

Apache APISIX, an API gateway, has a vulnerability allowing remote code execution by bypassing IP restrictions on the Admin API. This impacts organizations using Apache APISIX, potentially leading to unauthorized system access and control. Attackers can exploit this by abusing the batch-requests plugin.

5Halo Surface Signal

Remote Code Execution

Apache Apisix

before 2.10.42.11.0 to before 2.12.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-24112

Apache APISIX is an API gateway designed to be deployed at the network edge to manage, secure, and route public internet traffic. As a primary ingress point for web services and APIs, it is architecturally intended to be internet-facing by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Apache APISIX, an API gateway, has a vulnerability that allows unauthorized access to its administrative interface. This flaw can be exploited to bypass security restrictions, potentially leading to unauthorized command execution on affected systems. The impact can include unauthorized access to sensitive data and the ability for attackers to gain control over compromised systems.

  • Vulnerable API gateway
  • Bypasses IP restrictions
  • Enables unauthorized access and control

Attack Path

How an attacker could exploit the issue

An attacker can bypass IP restrictions on the Admin API of Apache APISIX. This is achieved by abusing the batch-requests plugin to send specially crafted requests. This bypass can lead to the execution of arbitrary code on the affected system. The impact is reduced if the default admin key is changed or if the Admin API port is altered, but the risk of IP restriction bypass persists.

  • Exposure condition: Admin API is exposed externally.
  • Attacker starting point: Unauthenticated network access.
  • Trigger and result: Abuse batch-requests plugin for code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk to organizations utilizing Apache APISIX in its default configuration. Attackers can exploit this flaw to bypass security restrictions, potentially leading to unauthorized access and remote code execution. The ability to execute arbitrary code on affected systems could allow attackers to compromise sensitive data, disrupt operations, and establish a persistent presence within the network.

  • Likely attacker skill level: Low
  • Required access or conditions: Network access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability in Apache APISIX allows attackers to bypass IP restrictions and execute remote code. This exposure impacts organizations using Apache APISIX, potentially leading to unauthorized access and control of systems. The exploit can be achieved by abusing the batch-requests plugin to send requests that circumvent the Admin API's IP restrictions. Organizations should prioritize addressing this vulnerability to mitigate business risk.

  • Identify Apache APISIX assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix and validate.
  • Monitor for related issues.

Frequently asked questions

What is Apache APISIX and its primary function?

Apache APISIX is an open-source API gateway. It is designed to manage, secure, and route network traffic for web services and APIs, serving as a central entry point for applications.

What type of security weakness does CVE-2022-24112 represent?

CVE-2022-24112 is classified as an authentication bypass vulnerability (CWE-290). This weakness allows an attacker to circumvent security mechanisms that verify user identity or access permissions.

How can the CVE-2022-24112 vulnerability be exploited in Apache APISIX?

Attackers can exploit this vulnerability by leveraging the batch-requests plugin to send specific requests. This abuse allows them to bypass IP restrictions on the Admin API, which could lead to remote code execution.

What is the significance of CVE-2022-24112 given its context?

The Apache APISIX authentication bypass vulnerability (CVE-2022-24112) poses a significant risk because it can allow unauthorized remote code execution. This could lead to the compromise of sensitive data and control over affected systems.

What steps should be taken to address the Apache APISIX vulnerability?

To mitigate this risk, organizations should identify their Apache APISIX assets, reduce exposure or isolate the affected systems, apply vendor-provided fixes, and validate that the updates are successful. Continuous monitoring for related issues is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified