Recently, Kong issued a risk notification about the unauthorized vulnerability of Kong Admin Restful API Gateway. The vulnerability number is CVE-2020-11710, and the vulnerability level is very high.
Kong is a cloud-native, fast, and extensible distributed microservice abstraction layer (also called API gateway or API middleware). Its core value is high performance and scalability, provided as an open source project in 2015.
Actively maintained, Kong has been widely used in the production of companies ranging from startups to Global 5000 and government organizations.
Kong API Gateway administrator control interface has unauthorized access vulnerability. The attacker can directly control the API gateway and make it an open traffic proxy through the Kong API gateway administrator control interface to access sensitive internal services.
Enterprises usually use Kong as an API gateway for cloud-native architectures, and the establishment method usually follows official guidelines.
By default, the Admin Restful API (port: 8001/8444) is also exposed to the public network, so that the attacker can fully control all the behavior of the Kong gateway. The operations that an attacker can perform include but are not limited to:
- Routes added to key intranet services
- Set Kong as a proxy node to sniff accessible internal services
Affected version
- Kong 2.0.2 and below
We recommend that users install the latest patches in a timely manner.
