GHSA-W42G-7VFC-XF37
Vulnerability from github – Published: 2020-06-05 19:38 – Updated: 2020-08-31 19:02We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions.
Impact
If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules (i.e., using validationRules) since there would be no expectation that introspection was disabled.
The enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.
Note: Unless
subscriptions: falseis explicitly passed to the constructor parameters ofnew ApolloServer({ ... }), subscriptions are enabled by default, whether or not there is aSubscriptiontype present in the schema. As an alternative to upgrading to a patched version, see the Workarounds section below to disable subscriptions if it is not necessary.
In cases where subscriptions: false is not explicitly set, the subscription server is impacted since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the SubscriptionServer.create invocation (seen here, prior to the patch).
The omitted validation rules for the subscription server include any validationRules passed by implementors to the ApolloServer constructor which were expected to be enforced on the subscriptions WebSocket endpoint. Additionally, because an internal NoIntrospection validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the SubscriptionServer creates even though it was not possible on other transports (e.g. HTTP).
The severity of risk depends on whether sensitive information is being stored in the schema itself. The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.
Affected packages
The bug existed in apollo-server-core versions prior to version 2.14.2, however, this means all integration packages (e.g., apollo-server-express, etc.) prior to version 2.14.2 which depend on apollo-server-core for their subscriptions support are affected. This includes the apollo-server package that automatically provides an Express server.
Therefore, for officially published Apollo Server packages, the full list of affected packages includes: apollo-server, apollo-server-azure-functions, apollo-server-cache-memcached, apollo-server-core, apollo-server-cloud-functions, apollo-server-cloudflare, apollo-server-express, apollo-server-fastify, apollo-server-hapi, apollo-server-koa, apollo-server-lambda, and apollo-server-micro.
Note: The full list included here doesn't fit into the box provided by the GitHub Security Advisories form.
Resolution
The problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see Workarounds below. When upgrading, ensure that the affected integration package (e.g., apollo-server-express) and the apollo-server-core package are both updated to the patched versions. (The version numbers should both be 2.14.2.)
Workarounds
Upgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with subscriptions: false to resolve the impact. Disabling subscriptions in this way will disable all subscriptions support and the WebSocket transport:
const server = new ApolloServer({
subscriptions: false,
/* Other options, such as typeDefs, resolvers, schema, etc. */
});
For more information
If you have any questions or comments about this advisory, please open an issue and the maintainers will try to assist.
Credit and appreciation
Apollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.
Credit for this discovery goes to the team at Bitwala, who reported the concern to us responsibly after discovering it during their own auditing.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "apollo-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-azure-functions"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-cache-memcached"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-cloud-functions"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-cloudflare"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-fastify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-hapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-koa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-lambda"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "apollo-server-micro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-06-05T19:37:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The _Resolution_ section contains details on patched versions.\n\n### Impact\n\nIf `subscriptions: false` is passed to the `ApolloServer` constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport **and** are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If `introspection: true` is passed to the `ApolloServer` constructor options, the impact is limited to user-provided validation rules (i.e., using `validationRules`) since\u00a0there would be no expectation that introspection was disabled.\n\nThe enforcement of user-provided validation rules on the HTTP transport is working as intended and is unaffected by this advisory. Similarly, disabling introspection on the HTTP transport is working as intended and is unaffected by this advisory.\n\n\u003e **Note:** Unless `subscriptions: false` is explicitly passed to the constructor parameters of `new ApolloServer({ ... })`, **subscriptions are enabled by default, whether or not there is a `Subscription` type present in the schema.** As an alternative to upgrading to a patched version, see the _Workarounds_ section below to disable subscriptions if it is not necessary.\n\nIn cases where `subscriptions: false` is **not** explicitly set, the subscription server **is impacted** since validation rules which are enforced on the main request pipeline within Apollo Server were not being passed to the `SubscriptionServer.create` invocation ([seen here, prior to the patch](https://github.com/apollographql/apollo-server/blob/7d6f23443e52a90deb74f152f34bb76eea78ee19/packages/apollo-server-core/src/ApolloServer.ts#L677-L726)). \n\nThe omitted validation rules for the subscription server include any `validationRules` passed by implementors to the `ApolloServer` constructor which were expected to be enforced on the subscriptions WebSocket endpoint. **Additionally**, because an internal [`NoIntrospection`](https://github.com/apollographql/apollo-server/blob/7d6f23443/packages/apollo-server-core/src/ApolloServer.ts#L77-L88) validation rule is used to disable introspection, it would have been possible to introspect a server on the WebSocket endpoint that the `SubscriptionServer` creates even though it was not possible on other transports (e.g. HTTP).\n\n**The severity of risk depends on whether sensitive information is being stored in the schema itself.** The contents of schema descriptions, or secrets which might be revealed by the names of types or field names within those types, will determine the risk to individual implementors.\n\n### Affected packages\n\nThe bug existed in `apollo-server-core` versions prior to version 2.14.2, however, this means all integration packages (e.g., `apollo-server-express`, etc.) prior to version 2.14.2 which depend on `apollo-server-core` for their subscriptions support are affected. This includes the `apollo-server` package that automatically provides an Express server.\n\nTherefore, for officially published Apollo Server packages, the full list of affected packages includes: `apollo-server`, `apollo-server-azure-functions`, `apollo-server-cache-memcached`, `apollo-server-core`, `apollo-server-cloud-functions`, `apollo-server-cloudflare`, `apollo-server-express`, `apollo-server-fastify`, `apollo-server-hapi`, `apollo-server-koa`, `apollo-server-lambda`, and `apollo-server-micro`.\n\n\u003e Note: The full list included here doesn\u0027t fit into the box provided by the GitHub Security Advisories form.\n\n### Resolution\n\nThe problem is resolved in Apollo Server versions 2.14.2 or higher. If upgrading is not an option, see _Workarounds_ below. When upgrading, ensure that the affected integration package (e.g., `apollo-server-express`) **and** the `apollo-server-core` package are both updated to the patched versions. (The version numbers should both be 2.14.2.)\n\n### Workarounds\n\nUpgrading to a patched version is the recommended solution. If upgrading is not an option, subscriptions can be disabled with `subscriptions: false` to resolve the impact. **Disabling subscriptions in this way will disable _all_ subscriptions support and the WebSocket transport**:\n\n```js\nconst server = new ApolloServer({\n subscriptions: false,\n /* Other options, such as typeDefs, resolvers, schema, etc. */\n});\n```\n\n### For more information\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/apollographql/apollo-server/issues/new) and the maintainers will try to assist.\n\n### Credit and appreciation\n\nApollo fully believes in ethical disclosure of vulnerabilities by security researchers who notify us with details and provide us time to address and fix the issues before publicly disclosing.\n\nCredit for this discovery goes to the team at [Bitwala](https://www.bitwala.com/), who reported the concern to us responsibly after discovering it during their own auditing.",
"id": "GHSA-w42g-7vfc-xf37",
"modified": "2020-08-31T19:02:14Z",
"published": "2020-06-05T19:38:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/apollo-server/security/advisories/GHSA-w42g-7vfc-xf37"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/apollo-server/commit/e2e816316f5c28a03de2ee1589edb2b10c358114"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-w42g-7vfc-xf37"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1525"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1526"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1527"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1528"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1529"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1530"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1531"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1532"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1533"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1534"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1535"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1536"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Introspection in schema validation in Apollo Server"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.