CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header

[Zexuan Luo <spacewander () apache org>]

Severity: high

Description:

An attacker can abuse the batch-requests plugin to send requests to
bypass the IP restriction of Admin API.
A default configuration of Apache APISIX (with default API key) is
vulnerable to remote code execution.
When the admin key was changed or the port of Admin API was changed to
a port different from the data panel, the impact is lower. But there
is still a risk to bypass the IP restriction of Apache APISIX's data
panel.

There is a check in the batch-requests plugin which overrides the
client IP with its real remote IP. But due to a bug in the code, this
check can be bypassed.

Mitigation:

1. explicitly configure the enabled plugins in `conf/config.yaml`,
ensure `batch-requests` is disabled. (Or just comment out
`batch-requests` in `conf/config-default.yaml`)
Or
1. upgrade to 2.10.4 or 2.12.1.

Credit:

Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.