CVE-2022-24112: 
Apache APISIX vulnerability analysis and mitigation

CVE-2022-24112 is a critical authentication bypass vulnerability affecting Apache APISIX, discovered in February 2022. The vulnerability allows attackers to abuse the batch-requests plugin to bypass IP restrictions of the Admin API. In default configurations with the default API key, this vulnerability can lead to remote code execution. The vulnerability affects Apache APISIX versions up to 2.10.4 and versions from 2.11.0 up to 2.12.1 (NVD, OSS Security).

The vulnerability exists due to a bug in the batch-requests plugin's code that allows bypassing the check which normally overrides the client IP with its real remote IP. This bypass enables attackers to send requests that circumvent IP restrictions. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature and potential for remote exploitation without requiring privileges or user interaction (NVD).

The impact varies depending on the configuration. In default configurations with the default API key, attackers can achieve remote code execution. Even when the admin key is changed or the Admin API port is modified, attackers can still potentially bypass IP restrictions of Apache APISIX's data panel. This vulnerability has been actively exploited in the wild and was added to CISA's Known Exploited Vulnerabilities Catalog (Hacker News).

Two primary mitigation options are available: 1) Explicitly configure the enabled plugins in 'conf/config.yaml' and ensure 'batch-requests' is disabled (or comment out 'batch-requests' in 'conf/config-default.yaml'), or 2) Upgrade to version 2.10.4 or 2.12.1. CISA has mandated Federal Civilian Executive Branch agencies to apply updates according to vendor instructions by September 15, 2022 (OSS Security).