Vulnerability-Lookup - Search a vulnerability

CVE-2024-43414 (GCVE-0-2024-43414)

Vulnerability from cvelistv5

Published

2024-08-27 17:20

Modified

2024-08-27 17:58

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-674 - Uncontrolled Recursion

Summary

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: "https://specs.apollo.dev/federation/v2.0"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript’s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as “infinity”. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs.

References

►

URL

	Vendor	Product	Version
	apollographql	federation	Version: >= 2.0.0, < 2.8.5 Version: < 1.52.1

CVE-2024-43783 (GCVE-0-2024-43783)

Vulnerability from cvelistv5

Published

2024-08-27 17:16

Modified

2024-08-27 18:06

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).

References

►

URL

	Vendor	Product	Version
	apollographql	router	Version: >=1.7.0, < 1.52.1

Vulnerability from fkie_nvd

Published

2024-08-27 18:15

Modified

2024-09-12 21:33

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).

References

URL	Tags
security-advisories@github.com	https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14	Patch
security-advisories@github.com	https://github.com/apollographql/router/releases/tag/v1.52.1	Release Notes
security-advisories@github.com	https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32	Exploit, Vendor Advisory
security-advisories@github.com	https://www.apollographql.com/docs/router/configuration/overview/#request-limits	Product
security-advisories@github.com	https://www.apollographql.com/docs/router/customizations/coprocessor	Technical Description
security-advisories@github.com	https://www.apollographql.com/docs/router/customizations/native	Technical Description

Impacted products

Vendor	Product	Version
apollographql	apollo-router	*
apollographql	apollo_helms-charts_router	*
apollographql	apollo_router	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apollographql:apollo-router:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "B29EFF0B-104E-40C3-B57F-364E3A597BC6",
              "versionEndExcluding": "1.52.1",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E422884F-DBC0-4D18-89A9-3BEE67AA14F5",
              "versionEndExcluding": "1.52.1",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "239DF16D-B5D7-4830-9EAF-62A17112B12B",
              "versionEndExcluding": "1.52.1",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions \u003e=1.21.0 and \u003c 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions \u003e=1.7.0 and \u003c1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance)."
    },
    {
      "lang": "es",
      "value": "Apollo Router Core es un enrutador de gr\u00e1ficos configurable y de alto rendimiento escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las instancias del enrutador Apollo que ejecutan versiones \u0026gt;=1.21.0 y \u0026lt;1.52.1 se ven afectadas por una denegaci\u00f3n de vulnerabilidad del servicio si _todo_ lo siguiente es verdadero: 1. El enrutador Apollo se ha configurado para admitir [coprocesamiento externo] (https://www.apollographql.com/docs/router/customizations/coprocessor). 2. El enrutador Apollo se ha configurado para enviar cuerpos de solicitud a los coprocesadores. Esta es una configuraci\u00f3n no predeterminada y los administradores deben configurarla intencionalmente. Las instancias del enrutador Apollo que ejecutan las versiones \u0026gt;=1.7.0 y \u0026lt;1.52.1 se ven afectadas por una vulnerabilidad de denegaci\u00f3n de servicio si se cumple todo lo siguiente: 1. El enrutador se ha configurado para utilizar un complemento Native Rust desarrollado a medida. 2. El complemento accede a Request.router_request en la capa RouterService. 3. Est\u00e1s acumulando el cuerpo de Request.router_request en la memoria. Si utiliza una configuraci\u00f3n afectada, el enrutador cargar\u00e1 cuerpos completos de solicitudes HTTP en la memoria sin respetar otras configuraciones que limitan el tama\u00f1o de las solicitudes HTTP, como limites.http_max_request_bytes. Esto puede provocar que el enrutador finalice por falta de memoria (OOM) si se env\u00eda una solicitud suficientemente grande al enrutador. De forma predeterminada, el enrutador establece l\u00edmites.http_max_request_bytes en 2 MB. Si tiene una configuraci\u00f3n afectada como se define anteriormente, actualice al menos a Apollo Router 1.52.1. Si no puede actualizar, puede mitigar la oportunidad de denegaci\u00f3n de servicio que afecta a los coprocesadores externos configurando la opci\u00f3n de configuraci\u00f3n coprocessor.router.request.body en falso. Tenga en cuenta que cambiar esta opci\u00f3n de configuraci\u00f3n cambiar\u00e1 la informaci\u00f3n enviada a cualquier coprocesador que haya configurado y puede afectar la funcionalidad implementada por esos coprocesadores. Si ha desarrollado un complemento Native Rust y no puede actualizarlo, puede actualizar su complemento para no acumular el cuerpo de la solicitud o imponer un l\u00edmite m\u00e1ximo de tama\u00f1o del cuerpo. Tambi\u00e9n puede mitigar este problema limitando los tama\u00f1os de carga \u00fatil del cuerpo HTTP antes del enrutador (por ejemplo, en un proxy o dispositivo de firewall de aplicaciones web)."
    }
  ],
  "id": "CVE-2024-43783",
  "lastModified": "2024-09-12T21:33:56.637",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-27T18:15:15.403",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/apollographql/router/releases/tag/v1.52.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://www.apollographql.com/docs/router/customizations/coprocessor"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://www.apollographql.com/docs/router/customizations/native"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd

Published

2024-08-27 18:15

Modified

2024-09-12 21:33

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: "https://specs.apollo.dev/federation/v2.0"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript’s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as “infinity”. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs.

References

URL	Tags
security-advisories@github.com	https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4	Exploit
security-advisories@github.com	https://www.apollographql.com/docs/federation/query-plans	Technical Description
security-advisories@github.com	https://www.apollographql.com/docs/router/configuration/persisted-queries	Technical Description

Impacted products

Vendor	Product	Version
apollographql	apollo-router	*
apollographql	apollo_gateway	*
apollographql	apollo_helms-charts_router	*
apollographql	apollo_query-planner	*
apollographql	apollo_router	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apollographql:apollo-router:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "DC2E3CE8-4AA1-4201-9D25-747129D12CF6",
              "versionEndExcluding": "1.52.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_gateway:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "34C12E9C-CB82-4258-BE8D-A33ACCB4DF16",
              "versionEndExcluding": "2.8.5",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E734618-8E22-4FE6-B19D-FBE43CE5751F",
              "versionEndExcluding": "1.52.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_query-planner:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A0231E1E-F9F9-4C81-9161-16443D79280A",
              "versionEndExcluding": "2.8.5",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78F8E1F6-79E4-4B0B-A03B-EAC1D8898187",
              "versionEndExcluding": "1.52.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner \u003e=2.0.0 and \u003c2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions \u003e=2.0.0 and \u003c 2.8.5 and Apollo Router \u003c1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: \"https://specs.apollo.dev/federation/v2.0\"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript\u2019s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as \u201cinfinity\u201d. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs."
    },
    {
      "lang": "es",
      "value": "Apollo Federation es una arquitectura para componer API de forma declarativa en un gr\u00e1fico unificado. Cada equipo puede ser due\u00f1o de su porci\u00f3n del gr\u00e1fico de forma independiente, lo que les permite realizar entregas de forma aut\u00f3noma e incremental. Las instancias de @apollo/query-planner \u0026gt;=2.0.0 y \u0026lt;2.8.5 se ven afectadas por una vulnerabilidad de denegaci\u00f3n de servicio. Las versiones de @apollo/gateway \u0026gt;=2.0.0 y \u0026lt;2.8.5 y Apollo Router \u0026lt;1.52.1 tambi\u00e9n se ven afectadas por el uso de @apollo/query-panner. Si se le pide a @apollo/query-planner que planifique una consulta suficientemente compleja, es posible que se repita infinitamente y nunca se complete. Esto da como resultado un consumo de memoria ilimitado y una falla o terminaci\u00f3n por falta de memoria (OOM). Este problema puede desencadenarse si tiene al menos un campo que no sea @key y que pueda resolverse mediante varios subgrafos. Para identificar estos campos compartidos, se debe revisar el esquema de cada subgrafo. El mecanismo para identificar campos compartidos var\u00eda seg\u00fan la versi\u00f3n de Federaci\u00f3n que est\u00e9n utilizando sus subgrafos. Puede comprobar si sus subgrafos utilizan la Federaci\u00f3n 1 o la Federaci\u00f3n 2 revisando sus esquemas. Los esquemas de subgrafos de Federaci\u00f3n 2 contendr\u00e1n una directiva @link que hace referencia a la versi\u00f3n de Federaci\u00f3n que se utiliza, mientras que los subgrafos de Federaci\u00f3n 1 no. Por ejemplo, en un subgrafo de Federaci\u00f3n 2, encontrar\u00e1 una l\u00ednea como @link(url: \"https://specs.apollo.dev/federation/v2.0\"). Si una directiva @link similar no est\u00e1 presente en su esquema de subgrafo, est\u00e1 utilizando la Federaci\u00f3n 1. Tenga en cuenta que un supergrafo puede contener una combinaci\u00f3n de subgrafos de Federaci\u00f3n 1 y Federaci\u00f3n 2. Este problema se debe a que el planificador de consultas de Apollo intenta utilizar un n\u00famero que excede el n\u00famero de Javascript.MAX_VALUE en algunos casos. En Javascript, Number.MAX_VALUE es (2^1024 - 2^971). Cuando el planificador de consultas recibe una solicitud Graphql entrante, divide la consulta en partes y, para cada parte, genera una lista de posibles pasos de ejecuci\u00f3n para resolver la parte. Estos candidatos representan los pasos que seguir\u00e1 el planificador de consultas para satisfacer las partes de la consulta m\u00e1s grande. Como parte de las operaciones normales, el planificador de consultas requiere y calcula la cantidad de planes de consulta posibles para la consulta total. Es decir, necesita el producto del n\u00famero de candidatos al plan de consulta para cada parte de la consulta. En circunstancias normales, despu\u00e9s de generar todos los candidatos al plan de consulta y calcular el n\u00famero de todas las permutaciones, el planificador de consultas pasa a clasificar los candidatos y eliminar las opciones menos \u00f3ptimas. En consultas particularmente complejas, especialmente aquellas donde los campos se pueden resolver a trav\u00e9s de m\u00faltiples subgrafos, esto puede hacer que el n\u00famero de todas las permutaciones del plan de consulta aumente. En el peor de los casos, esto puede terminar siendo un n\u00famero mayor que Number.MAX_VALUE. En Javascript, si se excede Number.MAX_VALUE, Javascript representa el valor como \"infinito\". Si el recuento de candidatos se eval\u00faa como infinito, el componente del planificador de consultas responsable de eliminar los planes de consultas que no son \u00f3ptimos en realidad no elimina los candidatos, lo que hace que el planificador de consultas eval\u00fae muchos \u00f3rdenes de magnitud m\u00e1s candidatos a planes de consultas de los necesarios. Este problema se solucion\u00f3 en @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5 y Apollo Router v1.52.1. Se recomienda a los usuarios que actualicen. Este problema se puede evitar asegur\u00e1ndose de que no haya campos que se puedan resolver en varios subgrafos. Si todos los subgrafos utilizan la Federaci\u00f3n 2, puede confirmar que no se ver\u00e1 afectado asegur\u00e1ndose de que ninguno de sus esquemas de subgrafos utilice la directiva @shareable. --- TRUNCADO ----"
    }
  ],
  "id": "CVE-2024-43414",
  "lastModified": "2024-09-12T21:33:40.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-27T18:15:15.083",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://www.apollographql.com/docs/federation/query-plans"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://www.apollographql.com/docs/router/configuration/persisted-queries"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerabilites related to apollographql - apollo-router

CVE-2024-43414 (GCVE-0-2024-43414)

Vulnerability from cvelistv5

CVE-2024-43783 (GCVE-0-2024-43783)

Vulnerability from cvelistv5

Vulnerability from fkie_nvd

Vulnerability from fkie_nvd