CVE-2020-15170 – CVE-2020-15170 is an access control vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-15170?

CVE-2020-15170 has a CVSS score of 7.0 (HIGH). CVE-2020-15170 is an access control vulnerability in Apollo AdminService that allows unauthenticated attackers to directly access administrative APIs. This enables attackers to view and modify application configurations if the service is exposed to untrusted networks. Only deployments exposing Apollo AdminService to the internet or untrusted internal networks are affected.

📋 TL;DR

CVE-2020-15170 is an access control vulnerability in Apollo AdminService that allows unauthenticated attackers to directly access administrative APIs. This enables attackers to view and modify application configurations if the service is exposed to untrusted networks. Only deployments exposing Apollo AdminService to the internet or untrusted internal networks are affected.

💻 Affected Systems

Products:

Apollo AdminService

Versions: All versions before 1.7.1

Operating Systems: All platforms running Apollo AdminService

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when Apollo AdminService is exposed beyond trusted intranet environments. The service is designed for intranet use only.

📦 What is this software?

Apollo by Ctrip

View all CVEs affecting Apollo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control over application configurations, potentially modifying critical settings, injecting malicious code, or disrupting service availability across all applications managed by Apollo.

🟠

Likely Case

Unauthorized access to sensitive configuration data, potential configuration tampering leading to application misbehavior or data exposure.

🟢

If Mitigated

No impact if service is properly isolated in trusted network segments with appropriate network controls.

🌐 Internet-Facing: HIGH - Direct exposure to internet allows unauthenticated attackers to exploit the vulnerability without any access controls.

🏢 Internal Only: MEDIUM - Risk exists if exposed to untrusted internal networks, but lower than internet exposure due to reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the AdminService port. No authentication or special tools needed - attackers can directly call administrative APIs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.1

Vendor Advisory: https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh

Restart Required: Yes

Instructions:

1. Upgrade Apollo AdminService to version 1.7.1 or later. 2. Restart the AdminService. 3. Verify the service is running the patched version.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to Apollo AdminService to trusted internal networks only

iptables -A INPUT -p tcp --dport 8090 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP

Reverse Proxy with Authentication

all

Place Apollo AdminService behind a reverse proxy with authentication (e.g., nginx with basic auth)

location / { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://localhost:8090; }

🧯 If You Can't Patch

Immediately isolate Apollo AdminService to trusted internal network segments only
Implement network access controls (firewall rules) to restrict access to authorized IP addresses

🔍 How to Verify

Check if Vulnerable:

Check if Apollo AdminService version is below 1.7.1 AND is accessible from untrusted networks

Check Version:

curl -s http://localhost:8090/version | grep version

Verify Fix Applied:

Verify version is 1.7.1 or higher and test that administrative APIs require authentication when accessed

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to AdminService APIs
Configuration changes from unexpected IP addresses

Network Indicators:

External IP addresses accessing AdminService port 8090
Unusual API call patterns to configuration endpoints

SIEM Query:

source="apollo-admin.log" AND ("POST /" OR "PUT /") AND NOT src_ip IN [TRUSTED_NETWORKS]

📊 Metadata

CVE ID: CVE-2020-15170

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-20

Published: September 10, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf Patch,Third Party Advisory
https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh Third Party Advisory
https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf Patch,Third Party Advisory
https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15170, you might also want to check these: