
Recently, Apache APISIX officially released a security bulletin, disclosing a remote code execution vulnerability (CVE-2022-24112) in Apache APISIX versions prior to 2.12.1. After enabling the Apache APISIX batch-requests plugin, an attacker can bypass IP restrictions on the Apache APISIX data plane (such as bypassing IP blacklist and whitelist restrictions) through the batch-requests plugin. If the user uses the Apache APISIX default configuration (with Admin API enabled, with the default Admin Key and no additional admin port assigned), an attacker can invoke the Admin API via the batch-requests plugin, resulting in remote code execution.

Apache APISIX is a dynamic, real-time, high-performance API gateway. APISIX provides rich traffic management features such as load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and more. You can use Apache APISIX to handle traditional north-south traffic, as well as east-west traffic between services. It can also be used as a k8s ingress controller.
Affected version
- Apache APISIX 1.3 – 2.12.1
- Apache APISIX 2.10.0 – 2.10.4 LTS
Unaffected version
- Apache APISIX 2.12.1 (excluding 2.12.1)
- Apache APISIX 2.10.4 (LTS versions) (excluding 2.10.4)
Solution
At present, Apache APISIX has been released to fix the CVE-2022-24112 vulnerability, please the users should upgrade to the unaffected version as soon as possible.
Mitigation:
You can comment out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restart Apache APISIX.