External risk intelligence

Spring Cloud Gateway Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2022-22947

Organizations using Spring Cloud Gateway face a code injection risk if the Gateway Actuator endpoint is enabled and unsecured. This allows remote attackers to execute arbitrary code on the host, posing a business risk.

4Halo Surface Signal

Code Injection

Vmware Spring Cloud Gateway

before 3.0.73.1.011.3.21.11.022.1.322.2.022.1.01.10.01.15.01.15.122.1.21.8.022.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-22947

Spring Cloud Gateway is designed to function as an edge service or API gateway, placing it at the network perimeter. While the vulnerability requires the specific Actuator endpoint to be enabled and unsecured, the product's primary role as a gateway makes it a common internet-facing component in many web application architectures.

Horizon Alert

Summary of the vulnerability and why it matters

Spring Cloud Gateway applications present a security risk when the Gateway Actuator endpoint is enabled, exposed, and not secured. This configuration allows for code injection. An attacker could exploit this by sending a specially crafted request to achieve arbitrary remote execution on the affected host. This could lead to unauthorized access and control over the system.

Vulnerable Spring Cloud Gateway Actuator endpoint
Code injection flaw
Remote code execution impact

Attack Path

How an attacker could exploit the issue

Spring Cloud Gateway applications face a code injection risk when the Gateway Actuator endpoint is enabled, exposed, and unsecured. This situation allows remote attackers to execute arbitrary code on the host through a specially crafted request. This vulnerability can lead to significant business risk if exploited.

Unsecured, exposed Gateway Actuator endpoint.
Remote attacker sends a crafted request.
Arbitrary remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for arbitrary remote code execution when a specific administrative endpoint is exposed and unprotected. Attackers can exploit this by sending a specially crafted request. The potential for widespread impact and the ease of exploitation indicate a significant threat.

Attackers require low skill.
Gateway endpoint must be exposed.
Business risk is high.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Organizations using Spring Cloud Gateway face a critical code injection vulnerability when the Gateway Actuator endpoint is exposed and unsecured. This could permit remote attackers to execute arbitrary code on the host system, posing a significant business risk. The vulnerability affects specific versions of Spring Cloud Gateway and related Oracle products.

Find exposed Spring Cloud Gateway assets.
Restrict access to the Actuator endpoint.
Apply vendor patches and confirm their effectiveness.

Frequently asked questions

What is Spring Cloud Gateway and its function in microservice architecture?

Spring Cloud Gateway is a project within the Spring Cloud ecosystem designed to provide an API gateway for microservice architectures. It serves as a unified entry point, managing requests to various microservices and offering features like routing, monitoring, resiliency, and security [4, 11, 17].

What kind of vulnerability does CVE-2022-22947 describe?

CVE-2022-22947 is a critical code injection vulnerability (CWE-94) in Spring Cloud Gateway. It allows remote, unauthenticated attackers to execute arbitrary code on the host system by sending crafted requests to an exposed and unsecured Gateway Actuator endpoint [1, 2, 3, 4, 5, 12, 13].

How is the code injection vulnerability triggered in Spring Cloud Gateway?

The vulnerability is triggered when the Gateway Actuator endpoint is enabled, exposed, and unsecured. Attackers can exploit this by sending specially crafted requests containing malicious Spring Expression Language (SpEL) expressions to the Actuator API, which are then evaluated without proper sanitization, leading to arbitrary code execution [1, 8, 11, 12, 17, 18].

Why is CVE-2022-22947 a significant threat, especially for internet-facing services?

The vulnerability allows for remote code execution without authentication, making it highly exploitable. Because Spring Cloud Gateway often functions as an API gateway, it is frequently exposed to the internet, increasing the attack surface. This has led to its inclusion in CISA's Known Exploited Vulnerabilities catalog [1, 4, 13, 17].

What are the recommended steps to mitigate CVE-2022-22947?

To mitigate this vulnerability, it is recommended to upgrade Spring Cloud Gateway to versions 3.1.1+ or 3.0.7+. If immediate patching is not feasible, disable the Gateway Actuator endpoint or secure it using Spring Security. Regularly review network configurations to prevent external exposure of Actuator endpoints [1, 2, 4, 8].

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.