External risk intelligence

Spring Cloud Function: Remote Code Execution Risk

CVE advisoryKnown Exploit

CVE-2022-22963

Certain versions of Spring Cloud Function are susceptible to remote code execution and local resource access when processing specially crafted expressions. This could lead to unauthorized control of affected systems, posing a business risk.

4Halo Surface Signal

Code Injection

Vmware Spring Cloud Function

3.1.6 and earlier3.2.0 to 3.2.214.514.21.9.022.1.01.10.022.1.21.15.01.8.022.1.31.7.012.6.0.0.08.1.1.08.1.2.08.1.1.18.0.29 and earlier3.6.1.020.0.121.0.09.09.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-22963

Spring Cloud Function is a framework commonly used to build web services, APIs, and cloud-native applications. While deployment patterns vary, these components are frequently exposed as network-reachable endpoints to process incoming web requests, making them common targets for public-facing application services.

Horizon Alert

Summary of the vulnerability and why it matters

In Spring Cloud Function, the routing functionality is vulnerable when processing specially crafted expressions. This flaw allows attackers to execute arbitrary code on affected systems and access local resources. The potential impact includes the complete compromise of systems, including serverless functions within cloud environments.

Vulnerable component: Spring Cloud Function routing functionality
Core weakness: Malicious Spring Expression Language (SpEL) injection
Main business impact: Remote code execution and system compromise

Attack Path

How an attacker could exploit the issue

A specially crafted SpEL expression can be used to execute commands remotely. This occurs when the routing functionality is enabled within Spring Cloud Function, allowing an attacker to gain control of local resources. Exploitation can lead to unauthorized code execution, impacting the confidentiality, integrity, and availability of affected systems.

Exposed routing functionality
Attacker sends crafted SpEL expression
Remote code execution and resource access

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability presents a significant threat due to its potential for remote code execution and access to local resources. This could allow attackers to gain unauthorized control over affected systems, potentially leading to data breaches or service disruptions. Organizations using the affected software should consider this a high-risk situation.

Attackers with no specialized skills.
No prior access or conditions required.
High business risk, urgent attention needed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability may allow attackers to execute arbitrary code and access local resources on affected systems. Organizations should prioritize identifying all instances of the vulnerable software and take immediate steps to mitigate the associated risks. Prompt remediation by applying vendor-supplied security updates is essential to protect systems and data from potential compromise.

Identify all affected assets.
Reduce exposure or isolate risk.
Apply vendor fix and validate.
Monitor for related issues.

Frequently asked questions

What is Spring Cloud Function and what is its role in application development?

Spring Cloud Function is a framework that supports the standard model for Spring programming, enabling the development of applications that are deployable as functions. It is commonly used for building serverless functions, microservices, and event-driven applications. The framework's routing functionality is central to this vulnerability, allowing for dynamic dispatch of function calls based on defined expressions.

How does the Spring Cloud Function vulnerability (CVE-2022-22963) lead to remote code execution?

The vulnerability, identified as CVE-2022-22963, arises from a weakness in the routing functionality of Spring Cloud Function. Attackers can exploit this by providing a maliciously crafted SpEL (Spring Expression Language) expression as a routing expression. This allows for the execution of arbitrary code on the affected system and grants access to local resources.

What is the trigger path and scope of the Spring Cloud Function RCE vulnerability?

The trigger path for this vulnerability involves exploiting the routing functionality within Spring Cloud Function. An attacker can provide a specially crafted SpEL expression that, when processed by the vulnerable routing mechanism, leads to remote code execution. The scope of the impact is broad, as it allows for arbitrary code execution and access to local resources on the affected server, potentially leading to a full system compromise.

What is the relevance of CVE-2022-22963, considering it's on the CISA KEV catalog?

The inclusion of CVE-2022-22963 on the CISA Known Exploited Vulnerabilities (KEV) catalog signifies that it has been actively exploited in the wild. This makes the vulnerability highly relevant and a critical priority for organizations to address, as attackers are actively leveraging it for malicious purposes. The critical severity score (CVSS 9.8) further emphasizes the significant risk posed by this vulnerability.

What practical steps should an organization take to respond to the Spring Cloud Function vulnerability?

Organizations should immediately identify all instances of Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions within their environment. Prioritize applying updates and patches provided by VMware or implementing mitigating controls as recommended by security advisories. Regularly review security alerts and maintain an up-to-date inventory of software versions to proactively manage such risks.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.