CVE-2024-28101 - Apollo Router Denial-of-Service Vulnerability: Exploit Details and Mitigation Measures

Overview

A recently discovered vulnerability (CVE-2024-28101) affects the Apollo Router, a popular graph router written in Rust, used to run federated supergraphs in the context of Apollo Federation. This vulnerability specifically targets versions .9.5 through 1.40.2 of the Apollo Router. It is a Denial-of-Service (DoS) type vulnerability that can lead to significant memory consumption and potential for service disruption when processing compressed HTTP payloads. In this post, we will cover the details of this vulnerability, code snippets that demonstrate its exploitation, and mitigation measures for those affected.

Exploit Details

When receiving compressed HTTP payloads, the Apollo Router evaluates the limits.http_max_request_bytes configuration option only _after_ decompressing the entire payload. This means that if the payload is highly compressed, the memory footprint of the associated request can balloon, ultimately resulting in a potential Denial-of-Service situation.

For instance, a simple HTTP POST request with inflated data and the "Content-Encoding" header set to "gzip" can trigger the vulnerability. Here is a Python code snippet demonstrating this exploit:

import requests
import gzip

# Replace this with the target Apollo Router endpoint
target_url = "http://localhost:400/";

# Replace this with a highly compressed payload
payload = b'{"query":"{__schema{types{name}}}","variables":null,"operationName":null}'

compressed_payload = gzip.compress(payload)

headers = {
    'Content-Encoding': 'gzip',
    'Content-Type': 'application/json',
}

response = requests.post(target_url, data=compressed_payload, headers=headers)

print(response.status_code)

Mitigation Measures

Thankfully, the Apollo team has released a fix for this vulnerability as of version 1.40.2. We highly recommend upgrading your Apollo Router to the latest version to protect against this potential threat. However, if you're unable to upgrade immediately, there are several alternative mitigation strategies available.

Implement limits on HTTP body upload size at the proxy or load balancer level

Various proxies and load balancers can be used to limit HTTP upload sizes. For example, in Nginx, the following configuration snippet can be used to limit the upload size to 100 MB:

http {
    ...
    client_max_body_size 100m;
}

Similar configurations can be done in HAProxy or other load balancers. For cloud-native Web Application Firewall (WAF) Services like AWS WAF, Azure Front Door, or Google Cloud Armor, consult their respective documentation for details on body size limitations.

Employ rate limiting at the proxy, load balancer, or Router level

This can help protect against DoS attacks by limiting the number of requests from a single IP address.

Original References

1. Apollo Router GitHub Repository
2. Apollo Federation
3. CVE-2024-28101 - NVD

Conclusion

In this post, we've described the CVE-2024-28101 vulnerability affecting Apollo Router versions .9.5 to 1.40.2 and provided a code snippet to demonstrate its exploitation. To secure your systems, we recommend upgrading to the latest version of Apollo Router or implementing the suggested mitigation measures to protect against potential DoS attacks. Stay vigilant, and keep your software up-to-date to avoid possible security vulnerabilities.

Timeline

Published on: 03/21/2024 02:52:23 UTC
Last modified on: 03/21/2024 12:58:51 UTC