CVE-2024-32971: Critical Vulnerability in Apollo Router Compromises Data Integrity

A critical-severity vulnerability, identified as CVE-2024-32971 with a CVSS score of 9.1, has been discovered in versions 1.44.0 and 1.45.0 of the Apollo Router, a high-performance graph router written in Rust designed for handling federated supergraphs in production environments. This vulnerability has raised significant concerns about the integrity of operations executed through the Apollo Router, prompting an urgent advisory for users to update their systems immediately.

Vulnerability Details

The flaw resides in the query plan cache of the Apollo Router and affects instances configured with distributed query plan caching. The specific versions impacted are 1.44.0 and 1.45.0, released on April 12 and April 22, 2024, respectively. The vulnerability could lead to the execution of incorrect operations due to a defect in the cache retrieval logic of the Apollo Router. This might result in unintended mutations or the retrieval of incorrect data, depending on the type of operation requested by the user.

For example, a query intended to fetch certain types of user data could erroneously retrieve different data, or a mutation operation might target the wrong database records. This mishandling is due to the Apollo Router mistakenly executing a modified version of a previously cached operation, particularly problematic when Redis is used for caching.

Impact and Scope

The CVE-2024-32971 vulnerability only impacts Apollo Router instances that utilize distributed query plan caching. If your instance employs this specific configuration, as evidenced by the presence of a Redis URL in the router’s configuration YAML, it is vulnerable:

supergraph:
  query_planning:
    cache:
      # Look for this config below
      redis:
        urls: ["redis://..."]

Other configurations, or those using different caching mechanisms, are not affected.

Mitigation Measures

In response to this discovery, the developers of Apollo Router have released a new version, 1.45.1, which addresses the caching issue and restores the expected functionality. Users of the affected versions are advised to either upgrade to version 1.45.1 or higher or downgrade to version 1.43.2. It is important to note that versions 1.44.0 and 1.45.0 have been withdrawn from circulation due to the risks they pose.

For those unable to immediately upgrade or downgrade, there is a workaround available. Users can disable distributed query plan caching by removing (supergraph.query_planning.cache.redis.urls) or commenting out the Redis URL in their configuration. This change will revert each router instance to use its own in-memory query plan cache. However, this may increase the resource utilization per instance and could lead to longer cold-start times as each instance builds up its cache.

Urgency for Action

Due to the potential for significant data integrity issues and the possibility of unauthorized data manipulation, it is critical for organizations using Apollo Router in production environments to take immediate action. The developers have strongly recommended that all impacted versions be migrated away from as soon as possible, especially in production environments. For non-production settings, updating at the earliest convenience still remains crucial to maintaining operational integrity and security.