Apache APIs IX has the risk of rewriting the x-real-ip header (cve-2022-24112)

Problem description

stay Apache APISIX 2.12.1 In the previous version （ It doesn't contain 2.12.1 and 2.10.4）, Enable Apache APISIX batch-requests  After the plug-in , There will be rewriting X-REAL-IP header risk .

This risk leads to two problems ：

• Through  batch-requests  Plug ins bypass Apache APISIX Data plane IP Limit . For example, bypass IP Black and white list restrictions .
• If the user uses Apache APISIX The default configuration （ Enable Admin API , Use the default Admin Key And no additional management ports are assigned ）, Attackers can get through  batch-requests  Plug in call Admin API .

Affects version

• Apache APISIX 1.3 ~ 2.12.1 Between all versions （ It doesn't contain 2.12.1 ）
• Apache APISIX 2.10.0 ~ 2.10.4 LTS Between all versions （ It doesn't contain 2.10.4）

Solution

• The problem has been solved in 2.12.1 and 2.10.4 Resolved in version , Please update to the relevant version as soon as possible .
• In the affected Apache APISIX In the version , It can be done to  conf/config.yaml  and  conf/config-default.yaml  File explicitly commented out  batch-requests, And restart Apache APISIX This risk can be avoided .

Vulnerability Details

Vulnerability priority ： high

Vulnerability disclosure time ：2022 year 2 month 11 Japan

CVE Details ：https://nvd.nist.gov/vuln/detail/CVE-2022-24112

Contributor profile

The vulnerability was discovered by Changting technology in Real World CTF Found in , And by the Sauercloud Report to Apache Software foundation . Thank you for Apache APISIX Community contribution .