CVE-2024-43783 in router
Summary
by MITRE • 08/27/2024
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and =1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/13/2024
The vulnerability described in CVE-2024-43783 affects the Apollo Router Core, a high-performance graph router implemented in rust that operates as a federated supergraph using Apollo Federation 2. This denial-of-service weakness specifically targets configurations involving custom Native Rust Plugins that interact with the RouterService layer. The flaw manifests when plugins access Request.router_request and accumulate the request body into memory without respecting existing HTTP request size limitations. The technical implementation issue stems from the router's failure to enforce configured request size limits when processing requests through native rust plugins, creating a scenario where memory consumption becomes unbounded regardless of the default 2mb http_max_request_bytes limit.
The operational impact of this vulnerability is significant as it creates a direct path to out-of-memory conditions that can terminate the router service entirely. When a sufficiently large request is processed through an affected configuration, the router loads the complete HTTP request body into memory without any size constraints, effectively bypassing all existing request limiting mechanisms. This behavior represents a critical security flaw that can be exploited to cause service disruption and potentially system instability. The vulnerability specifically affects router versions between 1.21.0 and 1.52.1, including the 1.7.0 release, making these versions particularly susceptible to exploitation.
The mitigation strategies provided address multiple attack vectors and implementation approaches. The primary recommendation involves upgrading to Apollo Router version 1.52.1 or later, which resolves the memory accumulation issue. For organizations unable to upgrade immediately, alternative mitigations include disabling the router request body for external coprocessors through configuration changes, which however may impact coprocessor functionality. Native rust plugin developers can implement protective measures such as avoiding body accumulation or enforcing maximum body size limits within their plugins. Additionally, implementing HTTP body payload size limiting at network boundaries such as proxies or web application firewalls provides an effective defense-in-depth approach. This vulnerability aligns with CWE-400, specifically addressing memory allocation and resource exhaustion issues, and can be categorized under ATT&CK technique T1499.004 for network denial of service attacks. The flaw demonstrates a classic resource exhaustion vulnerability where improper input validation and memory management create opportunities for attackers to consume system resources beyond acceptable limits, ultimately leading to service disruption and potential system compromise.