CVE-2021-43557 Overview
CVE-2021-43557 is an authorization bypass vulnerability in the uri-block plugin of Apache APISIX before version 2.10.2. The vulnerability stems from the plugin's use of $request_uri without proper verification or normalization. Since $request_uri contains the full original request URI without normalization, attackers can craft malformed URIs to circumvent block list restrictions. For example, when a block list contains the pattern ^/internal/, an attacker can use a URI like //internal/ to bypass security controls and access restricted resources.
Critical Impact
Attackers can bypass URI-based access controls to access protected internal endpoints and resources that should be restricted, potentially exposing sensitive data or functionality.
Affected Products
- Apache APISIX versions prior to 2.10.2
- Custom plugins using $request_uri without normalization
- Other APISIX plugins with similar URI handling patterns
Discovery Timeline
- 2021-11-22 - CVE CVE-2021-43557 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43557
Vulnerability Analysis
This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command - Command Injection), though it more precisely represents an authorization bypass through improper input validation. The root issue lies in how Apache APISIX handles URI pattern matching in its security plugins.
The uri-block plugin is designed to prevent access to certain URI patterns by matching incoming requests against a configured block list. However, the plugin uses the raw $request_uri variable directly without normalizing the path. This creates a gap between what the security policy intends to block and what actually gets blocked.
Web servers and applications often normalize URIs by collapsing multiple slashes, resolving relative paths, and decoding URL-encoded characters. When security checks occur before this normalization, or when they use non-normalized values, attackers can exploit the discrepancy to bypass restrictions while still reaching the intended backend resource.
Root Cause
The fundamental cause is the use of $request_uri without proper URI normalization before pattern matching. The $request_uri nginx variable contains the original request URI exactly as sent by the client, including any malformed or non-standard formatting. The uri-block plugin performs regex matching against this raw value, but the backend routing may normalize the URI before processing, creating a security bypass opportunity.
For example, a block rule targeting ^/internal/ will match /internal/secret but will fail to match //internal/secret because the pattern expects a single slash at the start. However, most backend servers will normalize //internal/secret to /internal/secret when processing the request.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by manipulating the URI in HTTP requests to evade block list restrictions.
The exploitation technique involves identifying protected URI patterns in the block list configuration and then crafting requests with non-normalized URIs that bypass the regex patterns while still resolving to the protected resources. Common bypass techniques include:
- Using double slashes: //internal/ instead of /internal/
- Adding path segments with traversal: /public/../internal/
- URL encoding path components: /%69nternal/ (encoding 'i')
- Case manipulation if not accounted for
- Adding trailing characters or null bytes
Once the block list is bypassed, the attacker gains access to resources that administrators intended to protect, potentially exposing internal APIs, administrative interfaces, or sensitive data endpoints.
Detection Methods for CVE-2021-43557
Indicators of Compromise
- HTTP requests containing double slashes (//) or unusual path patterns in access logs
- Requests to internal or administrative endpoints from external sources
- Access log entries showing normalized URIs that differ from raw request URIs
- Unexpected access to endpoints that should be blocked by uri-block plugin rules
Detection Strategies
- Review HTTP access logs for requests containing non-standard URI formatting such as double slashes, encoded characters, or path traversal sequences
- Implement Web Application Firewall (WAF) rules to detect and alert on URI normalization bypass attempts
- Monitor for access to protected endpoints that should be blocked by the uri-block plugin
- Compare raw request URIs against normalized URIs in application logs to identify discrepancies
Monitoring Recommendations
- Enable detailed request logging in Apache APISIX to capture both raw and processed URIs
- Set up alerts for access attempts to known protected URI patterns from unauthorized sources
- Monitor for sudden increases in requests containing unusual URI formatting patterns
- Implement network-level monitoring for requests to internal API endpoints
How to Mitigate CVE-2021-43557
Immediate Actions Required
- Upgrade Apache APISIX to version 2.10.2 or later immediately
- Review all uri-block plugin configurations to identify potentially affected routes
- Audit custom plugins for similar usage of $request_uri without normalization
- Implement additional WAF rules as a defense-in-depth measure while patching
Patch Information
Apache has released version 2.10.2 of APISIX which addresses this vulnerability. The patch ensures proper URI normalization before pattern matching in the uri-block plugin. Administrators should upgrade to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the Apache Security Mailing List Thread. Additional context is available in the OpenWall security advisories: OSS Security Update 1, OSS Security Update 2, and OSS Security Update 3.
Workarounds
- Implement URI normalization at the network edge (load balancer or WAF) before requests reach APISIX
- Add additional block list patterns that account for common bypass techniques (e.g., ^//internal/, ^/+internal/)
- Use network segmentation to restrict access to internal endpoints at the infrastructure level
- Implement application-level authentication and authorization as a secondary protection layer
# Example: Enhanced uri-block configuration with bypass prevention
# Add normalized patterns to catch common bypass attempts
# Note: Upgrade to 2.10.2+ is the recommended solution
# Review current APISIX version
apisix version
# Upgrade APISIX (example for package manager)
# Consult official documentation for your deployment method
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
