CVE-2024-43414

{"id": "CVE-2024-43414", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-08-27T18:15:15.083", "references": [{"url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4", "tags": ["Exploit"], "source": "security-advisories@github.com"}, {"url": "https://www.apollographql.com/docs/federation/query-plans", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://www.apollographql.com/docs/router/configuration/persisted-queries", "tags": ["Technical Description"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: \"https://specs.apollo.dev/federation/v2.0\"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript\u2019s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as \u201cinfinity\u201d. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs."}, {"lang": "es", "value": "Apollo Federation es una arquitectura para componer API de forma declarativa en un gr\u00e1fico unificado. Cada equipo puede ser due\u00f1o de su porci\u00f3n del gr\u00e1fico de forma independiente, lo que les permite realizar entregas de forma aut\u00f3noma e incremental. Las instancias de @apollo/query-planner &gt;=2.0.0 y &lt;2.8.5 se ven afectadas por una vulnerabilidad de denegaci\u00f3n de servicio. Las versiones de @apollo/gateway &gt;=2.0.0 y &lt;2.8.5 y Apollo Router &lt;1.52.1 tambi\u00e9n se ven afectadas por el uso de @apollo/query-panner. Si se le pide a @apollo/query-planner que planifique una consulta suficientemente compleja, es posible que se repita infinitamente y nunca se complete. Esto da como resultado un consumo de memoria ilimitado y una falla o terminaci\u00f3n por falta de memoria (OOM). Este problema puede desencadenarse si tiene al menos un campo que no sea @key y que pueda resolverse mediante varios subgrafos. Para identificar estos campos compartidos, se debe revisar el esquema de cada subgrafo. El mecanismo para identificar campos compartidos var\u00eda seg\u00fan la versi\u00f3n de Federaci\u00f3n que est\u00e9n utilizando sus subgrafos. Puede comprobar si sus subgrafos utilizan la Federaci\u00f3n 1 o la Federaci\u00f3n 2 revisando sus esquemas. Los esquemas de subgrafos de Federaci\u00f3n 2 contendr\u00e1n una directiva @link que hace referencia a la versi\u00f3n de Federaci\u00f3n que se utiliza, mientras que los subgrafos de Federaci\u00f3n 1 no. Por ejemplo, en un subgrafo de Federaci\u00f3n 2, encontrar\u00e1 una l\u00ednea como @link(url: \"https://specs.apollo.dev/federation/v2.0\"). Si una directiva @link similar no est\u00e1 presente en su esquema de subgrafo, est\u00e1 utilizando la Federaci\u00f3n 1. Tenga en cuenta que un supergrafo puede contener una combinaci\u00f3n de subgrafos de Federaci\u00f3n 1 y Federaci\u00f3n 2. Este problema se debe a que el planificador de consultas de Apollo intenta utilizar un n\u00famero que excede el n\u00famero de Javascript.MAX_VALUE en algunos casos. En Javascript, Number.MAX_VALUE es (2^1024 - 2^971). Cuando el planificador de consultas recibe una solicitud Graphql entrante, divide la consulta en partes y, para cada parte, genera una lista de posibles pasos de ejecuci\u00f3n para resolver la parte. Estos candidatos representan los pasos que seguir\u00e1 el planificador de consultas para satisfacer las partes de la consulta m\u00e1s grande. Como parte de las operaciones normales, el planificador de consultas requiere y calcula la cantidad de planes de consulta posibles para la consulta total. Es decir, necesita el producto del n\u00famero de candidatos al plan de consulta para cada parte de la consulta. En circunstancias normales, despu\u00e9s de generar todos los candidatos al plan de consulta y calcular el n\u00famero de todas las permutaciones, el planificador de consultas pasa a clasificar los candidatos y eliminar las opciones menos \u00f3ptimas. En consultas particularmente complejas, especialmente aquellas donde los campos se pueden resolver a trav\u00e9s de m\u00faltiples subgrafos, esto puede hacer que el n\u00famero de todas las permutaciones del plan de consulta aumente. En el peor de los casos, esto puede terminar siendo un n\u00famero mayor que Number.MAX_VALUE. En Javascript, si se excede Number.MAX_VALUE, Javascript representa el valor como \"infinito\". Si el recuento de candidatos se eval\u00faa como infinito, el componente del planificador de consultas responsable de eliminar los planes de consultas que no son \u00f3ptimos en realidad no elimina los candidatos, lo que hace que el planificador de consultas eval\u00fae muchos \u00f3rdenes de magnitud m\u00e1s candidatos a planes de consultas de los necesarios. Este problema se solucion\u00f3 en @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5 y Apollo Router v1.52.1. Se recomienda a los usuarios que actualicen. Este problema se puede evitar asegur\u00e1ndose de que no haya campos que se puedan resolver en varios subgrafos. Si todos los subgrafos utilizan la Federaci\u00f3n 2, puede confirmar que no se ver\u00e1 afectado asegur\u00e1ndose de que ninguno de sus esquemas de subgrafos utilice la directiva @shareable. --- TRUNCADO ----"}], "lastModified": "2024-09-12T21:33:40.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apollographql:apollo-router:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "DC2E3CE8-4AA1-4201-9D25-747129D12CF6", "versionEndExcluding": "1.52.1"}, {"criteria": "cpe:2.3:a:apollographql:apollo_gateway:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "34C12E9C-CB82-4258-BE8D-A33ACCB4DF16", "versionEndExcluding": "2.8.5", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E734618-8E22-4FE6-B19D-FBE43CE5751F", "versionEndExcluding": "1.52.1"}, {"criteria": "cpe:2.3:a:apollographql:apollo_query-planner:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A0231E1E-F9F9-4C81-9161-16443D79280A", "versionEndExcluding": "2.8.5", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78F8E1F6-79E4-4B0B-A03B-EAC1D8898187", "versionEndExcluding": "1.52.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}