Summary: Apollo Router's distributed query plan caching feature is affected by a bug that could result in unintended operations being executed. This post provides details on the affected versions, exploit scenarios, and potential mitigations.

Introduction

Apollo Router is a configurable, graph router written in Rust designed to run a federated supergraph utilizing Apollo Federation 2. In certain circumstances, a vulnerability affecting specific versions of Apollo Router could lead to unexpected operations being executed, which may result in unintended data or effects.

This vulnerability (CVE-2024-32971) mainly affects router instances with distributed query plan caching enabled.

Exploit Details

The root cause of CVE-2024-32971 is a bug in Apollo Router's cache retrieval logic. Under the conditions mentioned before, executing an operation on the Apollo Router (query, mutation, or subscription) could result in the execution of an unexpected variation of that operation or the generation of unexpected errors.

The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary.

Example Scenario

For a query, results may be fetched that don't match what was requested.

Example

// Intended operation
fetchUsers(type: ENTERPRISE)

// Unexpected operation due to bug
fetchUsers(type: TRIAL)

For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers.

Example

// Intended operation
deleteUser(id: 10)

// Unexpected operation due to bug
deleteUser(id: 12)

Mitigation

Users who are using distributed query plan caching should take the following steps to mitigate this issue:

Downgrade to Apollo Router version 1.43.2.

Versions 1.44. and 1.45. are not recommended for use and have been withdrawn.

If you cannot upgrade or downgrade, you can disable distributed query plan caching as an alternative mitigation.

Conclusion

CVE-2024-32971 is a vulnerability that affects specific versions of Apollo Router with distributed query plan caching enabled. Users should take the recommended mitigation steps to avoid potential issues that may arise from executing unintended operations. Always make sure to use a secure and updated version of libraries and software for your projects, and regularly monitor and apply security patches and updates as they become available.


Link to original reference: CVE-2024-32971

Apollo Router documentation: https://www.apollographql.com/docs/router/

Apollo Federation 2: https://www.apollographql.com/docs/federation/

Timeline

Published on: 05/02/2024 07:15:21 UTC
Last modified on: 05/02/2024 13:27:25 UTC