Headline
GHSA-368x-wmmg-hq5c: Apollo has potential access control security issue in eureka
Impact
If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .
Patches
Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in v2.1.0.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in issue
- Email us at [email protected]
Package
maven com.ctrip.framework.apollo:apollo (Maven)
Affected versions
< 2.1.0
Patched versions
2.1.0
Description
Impact
If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .
Patches
Login authentication for eureka was added in apolloconfig/apollo#4663 and was released in v2.1.0.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.
References
Apollo Security Guidence
For more information
If you have any questions or comments about this advisory:
- Open an issue in issue
- Email us at [email protected]
References
- GHSA-368x-wmmg-hq5c
- https://nvd.nist.gov/vuln/detail/CVE-2023-25570
- apolloconfig/apollo#4663
- apolloconfig/apollo@7df79bf
- https://github.com/apolloconfig/apollo/releases/tag/v2.1.0
nobodyiam published to apolloconfig/apollo
Feb 18, 2023
Published by the National Vulnerability Database
Feb 20, 2023
Published to the GitHub Advisory Database
Feb 22, 2023
Reviewed
Feb 22, 2023
Last updated
Feb 22, 2023
Related news
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.