CVE-2024-32971

Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
https://github.com/apollographql/router/releases/tag/v1.45.1
https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching
https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
https://github.com/apollographql/router/releases/tag/v1.45.1
https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching

Configurations

No configuration.

History

21 Nov 2024, 09:16

Type	Values Removed	Values Added
Summary		(es) Apollo Router es un router de gráficos configurable escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las versiones afectadas de Apollo Router contienen un error que, en circunstancias limitadas, podría provocar la ejecución de operaciones inesperadas que pueden generar datos no deseados o efectos. Esto solo afecta a las instancias del router configuradas para utilizar el almacenamiento en caché del plan de consultas distribuidas. La causa principal de este defecto es un error en la lógica de recuperación de caché del router Apollo: cuando este defecto está presente y el almacenamiento en caché de planificación de consultas distribuidas está habilitado, se solicita al router que ejecute una operación (ya sea una consulta, una mutación o una suscripción). puede resultar en una variación inesperada de esa operación que se ejecuta o en la generación de errores inesperados. El problema surge de la ejecución inadvertida de una versión modificada de una operación ejecutada previamente, cuyo plan de consulta se almacena en la memoria caché subyacente (específicamente, Redis). Dependiendo del tipo de operación, el resultado puede variar. Para una consulta, es posible que se obtengan resultados que no coincidan con lo solicitado (por ejemplo, en lugar de ejecutar `fetchUsers(type: ENTERPRISE)`, el router puede ejecutar `fetchUsers(type: TRIAL)`. Para una mutación, esto puede resultar en mutaciones incorrectas que se envían a servidores de subgrafos subyacentes (por ejemplo, en lugar de enviar `deleteUser(id: 10)` a un subgrafo, el router puede ejecutar `deleteUser(id: 12)`. Se recomienda a los usuarios que utilicen el almacenamiento en caché de planes de consulta distribuidos que actualicen a la versión 1.45.1 o superior, o bien que reduzcan a la versión 1.43.2 del router Apollo. No se recomienda el uso de las versiones 1.44.0 o 1.45.0 del router Apollo y se han retirado. Los usuarios que no puedan actualizar pueden desactivar el almacenamiento en caché del plan de consultas distribuidas para mitigar este problema.
References	~~() https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529 -~~	() https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529 -
References	~~() https://github.com/apollographql/router/releases/tag/v1.45.1 -~~	() https://github.com/apollographql/router/releases/tag/v1.45.1 -
References	~~() https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v -~~	() https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v -
References	~~() https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching -~~	() https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching -

02 May 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-02 07:15

Updated : 2024-11-21 09:16

NVD link : CVE-2024-32971

Mitre link : CVE-2024-32971

CVE.ORG link : CVE-2024-32971

JSON object : View

Products Affected

No product.

CWE

CWE-440

Expected Behavior Violation

CWE-670

Always-Incorrect Control Flow Implementation

9.0 /10