CVE-2022-22947

Description

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Add Assessment

egalinkin-r7 (5)

June 02, 2022 6:29pm UTC (2 years ago)•Edited 3 months ago

Ratings

Attacker Value

Medium

Exploitability

Very High

Easy to weaponize Unauthenticated Vulnerable in uncommon configuration

Technical Analysis

CVE-2022-22947 is a remote code execution vulnerability in Spring Cloud Gateway that is currently being exploited in the wild. The vulnerable condition stems from Spring Expression Language (SpEL) expressions being passed to the StandardEvaluationContext context. This means that any valid SpEL expression passed to the context is executed.

Wyatt Dahlenberg provided a proof of concept exploit on his blog, which works on crafted vulnerable applications. In order to expose the interface, you need to modify the applications.properties file for an application using the Spring Cloud Gateway, suggesting that exposure of the vulnerable API is both non-standard and relatively uncommon.

Telemetry from Rapid7’s Project Heisenberg reveals a small number of exploit attempts (and scanners looking for vulnerable applications) over the last two months. This suggests that the scale of exploitation is low at this time.

cbeek-r7 (173)

July 26, 2024 7:27pm UTC (3 months ago)•Edited 3 months ago

Ratings

Observed in state-sponsored attacks

Technical Analysis

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

10.0 Critical

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

oracle,
vmware

Products

commerce guided search 11.3.2,
communications cloud native core binding support function 1.11.0,
communications cloud native core binding support function 22.1.3,
communications cloud native core console 22.2.0,
communications cloud native core network exposure function 22.1.0,
communications cloud native core network function cloud native environment 1.10.0,
communications cloud native core network repository function 1.15.0,
communications cloud native core network repository function 1.15.1,
communications cloud native core network repository function 22.1.2,
communications cloud native core network repository function 22.2.0,
communications cloud native core network slice selection function 1.8.0,
communications cloud native core network slice selection function 22.1.0,
communications cloud native core security edge protection proxy 22.1.1,
communications cloud native core service communication proxy 1.15.0,
spring cloud gateway,
spring cloud gateway 3.1.0

Metasploit Modules

exploit/linux/http/spring_cloud_gateway_rce (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/spring_cloud_gateway_rce.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: May 16, 2022 10:17pm UTC (2 years ago)

egalinkin-r7 indicated sources as

Vendor Advisory
Government or Industry Alert
Other: Rapid7 Project Heisenberg

Reported: June 02, 2022 6:29pm UTC (2 years ago)

gwillcox-r7 indicated sources as

News Article or Blog (https://blog.malwarebytes.com/botnets/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers/)
Other: Tweet From Microsoft (https://twitter.com/MsftSecIntel/status/1525158223514423303)

Reported: June 03, 2022 7:14pm UTC (2 years ago)

cbeek-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a)

Reported: July 26, 2024 1:41pm UTC (3 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/05/16/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:18am UTC (1 week ago)

References

Canonical

CVE-2022-22947 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Spring-Cloud-Gateway-CVE-2022-22947 (https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947) (Added by AKB Worker)

cve-2022-22947-godzilla-memshell (https://github.com/whwlsfb/cve-2022-22947-godzilla-memshell) (Added by AKB Worker)

CVE-2022-22947_Rce_Exp (https://github.com/Axx8/CVE-2022-22947_Rce_Exp) (Added by AKB Worker)

Miscellaneous

https://tanzu.vmware.com/security/cve-2022-22947

http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html

Rapid7

Moderate

Moderate

Very High

None

None

Network

CVE-2022-22947

Description