This is an automated email from the ASF dual-hosted git repository.
juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push:
new 62cc6b7 docs: add CVE-2021-43557 announcement (#770)
62cc6b7 is described below
commit 62cc6b79ba9d60af26549a9d75a01d4e0013c098
Author: Sylvia <[email protected]>
AuthorDate: Wed Nov 24 09:44:13 2021 +0800
docs: add CVE-2021-43557 announcement (#770)
Co-authored-by: 琚致远 <[email protected]>
---
website/blog/2021/11/23/cve-2021-43557.md | 69 ++++++++++++++++++++++
.../2021/11/23/cve-2021-43557.md | 69 ++++++++++++++++++++++
2 files changed, 138 insertions(+)
diff --git a/website/blog/2021/11/23/cve-2021-43557.md
b/website/blog/2021/11/23/cve-2021-43557.md
new file mode 100644
index 0000000..598d9b4
--- /dev/null
+++ b/website/blog/2021/11/23/cve-2021-43557.md
@@ -0,0 +1,69 @@
+---
+title: "Apache APISIX Path traversal in request_uri variable(CVE-2021-43557)"
+author: "Sylvia"
+authorURL: "https://github.com/SylviaBABY";
+authorImageURL: "https://avatars.githubusercontent.com/u/39793568?v=4";
+keywords:
+- APISIX
+- Apache APISIX
+- Ingress Controller
+- Request_uri
+description: In versions prior to Apache APISIX 2.10.2, there was a problem of
"bypassing partial restrictions" that caused the risk of path penetration by
using the $request_uri variable in Apache APISIX Ingress Controller.
+tags: [Security]
+---
+
+> In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing
partial restrictions" that caused the risk of path penetration by using the
$request_uri variable in Apache APISIX Ingress Controller.
+
+<!--truncate-->
+
+## Problem Description
+
+In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing
partial restrictions" that caused the risk of path penetration by using the
$request_uri variable in Apache APISIX Ingress Controller.
+
+When using the `uri-blocker` plug-in to test the scenario, we found that:
+
+```shell
+$ ./apisix_request.sh "/public-service/public"
+Defaulted container "apisix" out of: apisix, wait-etcd (init)
+{"data":"public data"}
+```
+
+```shell
+$ ./apisix_request.sh "/protected-service/protected"
+Defaulted container "apisix" out of: apisix, wait-etcd (init)
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>openresty</center>
+</body>
+</html>
+```
+
+In both scenarios, `public-service` is available and `protected-service` is
blocked by plug-ins. After the verification and testing of the above scenarios,
it is found that both cases can bypass the limitations of Uri.
+
+Due to the improper use of `ctx.var.require_uri` variables by the
`uri-blocker` plug-in, the following results:
+
+- Attacker can bypass access control restrictions and perform successful
access to routes that shouldn’t be able to;
+- Developers of custom plugins have no knowledge that `ngx.var.request_uri`
variable is untrusted.
+
+## Affected Versions
+
+All versions of Apache APISIX prior to 2.10.2 (excluding 2.10.2)
+
+## Solution
+
+This issue has been resolved in version
[2.10.2](http://apisix.apache.org/downloads/) +, please update to the relevant
version as soon as possible.
+
+In case of custom plugins, we suggest to do path normalization before using
`ngx.var.request_uri` variable. There are also two other variables, high
probably normalized, to check `ctx.var.upstream_uri` and `ctx.var.uri`.
+
+## Vulnerability details
+
+Vulnerability public date: November 22, 2021
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-43557
+
+## Contributor Profile
+
+The vulnerability was discovered by community user Marcin Niemiec
(GitHub[@xvnpw](https://github.com/xvnpw)) and reported to the Apache Software
Foundation in a timely manner.
+
+Thanks to Marcin Niemiec for his contribution to the Apache APISIX community.
diff --git
a/website/i18n/zh/docusaurus-plugin-content-blog/2021/11/23/cve-2021-43557.md
b/website/i18n/zh/docusaurus-plugin-content-blog/2021/11/23/cve-2021-43557.md
new file mode 100644
index 0000000..101a517
--- /dev/null
+++
b/website/i18n/zh/docusaurus-plugin-content-blog/2021/11/23/cve-2021-43557.md
@@ -0,0 +1,69 @@
+---
+title: "Apache APISIX request_uri 变量控制不当,存在路径遍历风险公告(CVE-2021-43557)"
+author: "苏钰"
+authorURL: "https://github.com/SylviaBABY";
+authorImageURL: "https://avatars.githubusercontent.com/u/39793568?v=4";
+keywords:
+- APISIX
+- Apache APISIX
+- Ingress Controller
+- Request_uri
+description: 在 Apache APISIX 2.10.2 之前的版本中,使用 Apache APISIX Ingress Controller
中$request_uri 变量存在「绕过部分限制」导致路径穿透风险的处理公告。
+tags: [Security]
+---
+
+> 在 Apache APISIX 2.10.2 之前的版本中,使用 Apache APISIX Ingress Controller
中$request_uri 变量存在「绕过部分限制」导致路径穿透风险的处理公告。
+
+<!--truncate-->
+
+## 问题描述
+
+在 Apache APISIX 2.10.2 之前的版本中,使用 Apache APISIX Ingress Controller
中$request_uri 变量存在「绕过部分限制」导致路径穿透风险的问题。
+
+在使用 uri-blocker 插件进行测试场景时发现:
+
+```shell
+$ ./apisix_request.sh "/public-service/public"
+Defaulted container "apisix" out of: apisix, wait-etcd (init)
+{"data":"public data"}
+```
+
+```shell
+$ ./apisix_request.sh "/protected-service/protected"
+Defaulted container "apisix" out of: apisix, wait-etcd (init)
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>openresty</center>
+</body>
+</html>
+```
+
+在上述两种场景下,`public-service` 是可用的,`protected-service`
则被插件阻止了。后续对上述场景进行验证测试,发现两种情况均能绕过 Uri 的限制。
+
+由于 `uri-blocker` 插件使用 `ctx.var.require_uri` 变量不当,导致:
+
+- 攻击者可以绕过访问控制限制逻辑,访问本应该禁止的 API;
+- 自定义插件的开发者或许不知道 `ngx.var.request_uri` 变量是不可信任的。
+
+## 影响版本
+
+Apache APISIX 2.10.2 之前的所有版本(不包含 2.10.2)
+
+## 解决方案
+
+该问题目前已在 [2.10.2](http://apisix.apache.org/downloads/)+ 版本中得到解决,请尽快更新至相关版本。
+
+操作建议:如果在使用自定义插件时,可在使用 `ngx.var.request_uri` 变量前进行路径规范化的相关处理。同时额外检查下
`ctx.var.upstream_uri` 和 `ctx.var.uri` 这两个变量,虽然可能已经被规范化了,但防患于未然。
+
+## 漏洞详情
+
+漏洞公开时间:2021 年 11 月 22 日
+CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2021-43557
+
+## 贡献者简介
+
+该漏洞由社区用户 Marcin Niemiec(GitHub[@xvnpw](https://github.com/xvnpw))发现,并及时向
Apache 软件基金会上报该漏洞。
+
+感谢 Marcin Niemiec 对 Apache APISIX 社区的贡献。
