In versions prior to Apache 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache Ingress Controller.

Problem Description​

In versions prior to Apache 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache Ingress Controller.

When using the uri-blocker plug-in to test the scenario, we found that:

$ ./_request.sh "/public-service/public"Defaulted container "" out of: , wait-etcd (init){"data":"public data"}

$ ./_request.sh "/protected-service/protected"Defaulted container "" out of: , wait-etcd (init)<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>

In both scenarios, public-service is available and protected-service is blocked by plug-ins. After the verification and testing of the above scenarios, it is found that both cases can bypass the limitations of Uri.

Due to the improper use of ctx.var.require_uri variables by the uri-blocker plug-in, the following results:

• Attacker can bypass access control restrictions and perform successful access to routes that shouldn’t be able to;
• Developers of custom plugins have no knowledge that ngx.var.request_uri variable is untrusted.

Affected Versions​

All versions of Apache prior to 2.10.2 (excluding 2.10.2)

Solution​

This issue has been resolved in version 2.10.2 +, please update to the relevant version as soon as possible.

In case of custom plugins, we suggest to do path normalization before using ngx.var.request_uri variable. There are also two other variables, high probably normalized, to check ctx.var.upstream_uri and ctx.var.uri.

Vulnerability details​

Vulnerability public date: November 22, 2021 CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-43557

Contributor Profile​

The vulnerability was discovered by community user Marcin Niemiec (GitHub@xvnpw) and reported to the Apache Software Foundation in a timely manner.

Thanks to Marcin Niemiec for his contribution to the Apache community.