Aperçu
Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7 contain a critical code injection vulnerability in the unsecured Actuator endpoint. This vulnerability allows remote attackers to execute arbitrary code on the host system when the Actuator endpoint is enabled, exposed, and unsecured. The vulnerability affects the gateway's ability to validate and sanitize user input when processing route definitions through the Actuator API. La vulnérabilité a été divulguée le March 3, 2022. CISA a identifié CVE-2022-22947 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Spring Cloud Gateway's Actuator endpoint allows administrators to manage routes through HTTP endpoints. In vulnerable versions, the endpoint fails to properly validate and neutralize user-supplied input when processing route configuration updates. An attacker can inject malicious Spring Expression Language (SpEL) code through route definition parameters, which is then executed by the gateway when the route is evaluated. This is particularly dangerous because SpEL expressions in Spring have access to system methods and can be leveraged to execute arbitrary commands on the host operating system.
La vulnérabilité est classifiée comme CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-917 (Expression Language Injection) etCWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated attacker with network access to an exposed Actuator endpoint can execute arbitrary code with the privileges of the application process. This can lead to complete system compromise, including data exfiltration, service disruption, lateral movement within the network, installation of malware or backdoors, and use of the compromised system as a pivot point for attacks on internal infrastructure. The CVSS score of 9.8 reflects the critical nature of this vulnerability—it requires no authentication, no user interaction, and can affect multiple systems.
Mitigation et contournements
Update Spring Cloud Gateway to version 3.1.1 or later for the 3.1.x branch, version 3.0.7 or later for the 3.0.x branch, or version 2.2.11.RELEASE or later for the 2.2.x branch. This can be done by updating the spring-cloud-gateway dependency in your Maven pom.xml or Gradle build.gradle file. After updating, rebuild and redeploy the application. Les versions suivantes incluent les correctifs nécessaires : 3.1.1+, 3.0.7+, 2.2.11.RELEASE+.
Comme contournements temporaires : immediately disable the spring cloud gateway actuator endpoint if it is not required for operations. this can be done by setting 'management.endpoints.web.exposure.exclude=gateway' in application.properties or application.yml.; if the actuator endpoint must be enabled, restrict access to it using a web application firewall (waf), network-level firewalls, or reverse proxy authentication. ensure the /actuator/gateway/routes endpoint is only accessible from trusted administrative networks.; implement strong authentication for actuator endpoints using spring security with complex credentials or oauth2/oidc tokens. ensure 'management.endpoints.web.exposure.include' does not include 'gateway' unless absolutely necessary., et deploy spring cloud gateway behind a reverse proxy (such as nginx, apache, or cloud provider api gateway) that enforces authentication and authorization before allowing access to the actuator endpoint..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
