Vulnerability Management

Protect Your Spring Cloud Functions From Critical RCE Vulnerability (CVE-2022-22963)

A new Zero-Day CVE in Spring Cloud Functions was discovered, named CVE-2022-22963.

Piyush Chhiroliya

Written by Piyush Chhiroliya

April 1, 2022 | 2 min read

On the 30th of March, 2022, a new Zero-day CVE in Spring Cloud Functions was discovered, named CVE-2022-22963. Spring Cloud Function promotes the implementation of business logic via functions. The vulnerability is remotely exploitable without authentication, i.e., it can be exploited over a network without a username and password.

What is a Spring Cloud function?

Spring Cloud is an open-source microservice framework. Spring Cloud is a collection of functions useful in building distributed enterprise applications.

Due to the severity of this vulnerability, PingSafe strongly recommends that customers apply the updates and upgrade the Spring cloud function to the recommended patch Spring Cloud Function 3.2.3 or 3.1.7.

What is the impact of Spring Cloud vulnerability?

The spring cloud vulnerability can be exploited to allow unauthorized remote code execution on the affected servers. Hackers are still utilizing the recently discovered exploit to attack the servers. The exploit lets an attacker execute malicious Java code on the vulnerable server.

  • The attacker will invoke any server endpoint with a malicious payload.
  • The payload could be injected in the “spring.cloud.function.routing-expression” header, which is evaluated by SimpleEvaluationContext: T(java.lang.Runtime).getRuntime().exec(”command”)

Here, “command” refers to the malicious command that an attacker can use to harm the system maliciously and can take over a remote server. This payload triggers the Spring Cloud Function, sending a request to the attacker’s server.

  • The payload is then evaluated by SimpleEvaluationContext, which then triggers, and an attacker could execute system commands. 

Affected systems

Various applications and cloud services using Spring Cloud are under the radar of this attack. However, security researchers have already discovered that the CVE-2022-22963 vulnerability can be exploited on the servers of large companies. 

Upgrading the Spring Cloud Function to 3.2.17 or 3.1.6 or higher is highly recommended.

The following versions of Spring Cloud Function are impacted:

3.1.6 <= version <= 3.2.16

You can check the PingSafe dashboard under Host Misconfiguration to determine if your servers are secure. 

PingSafe Dashboard

Steps for remediation

The latest version of Spring Cloud Function has been released on the official website. You can download it and upgrade your service to use the newest version.

How can PingSafe help?‍

PingSafe can detect this CVE-2022-22963 vulnerability on your infrastructure without having an agent in place. Book a personalized free demo to see how PingSafe protects your cloud infrastructure from spring cloud function vulnerability and possible new zero-day vulnerabilities.

References:

NVD – CVE-2022-22963