Overview
Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7 contain a critical code injection vulnerability in the unsecured Actuator endpoint. This vulnerability allows remote attackers to execute arbitrary code on the host system when the Actuator endpoint is enabled, exposed, and unsecured. The vulnerability affects the gateway's ability to validate and sanitize user input when processing route definitions through the Actuator API. The vulnerability was disclosed on March 3, 2022. CISA has identified CVE-2022-22947 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Spring Cloud Gateway's Actuator endpoint allows administrators to manage routes through HTTP endpoints. In vulnerable versions, the endpoint fails to properly validate and neutralize user-supplied input when processing route configuration updates. An attacker can inject malicious Spring Expression Language (SpEL) code through route definition parameters, which is then executed by the gateway when the route is evaluated. This is particularly dangerous because SpEL expressions in Spring have access to system methods and can be leveraged to execute arbitrary commands on the host operating system.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-917 (Expression Language Injection) andCWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated attacker with network access to an exposed Actuator endpoint can execute arbitrary code with the privileges of the application process. This can lead to complete system compromise, including data exfiltration, service disruption, lateral movement within the network, installation of malware or backdoors, and use of the compromised system as a pivot point for attacks on internal infrastructure. The CVSS score of 9.8 reflects the critical nature of this vulnerability—it requires no authentication, no user interaction, and can affect multiple systems.
Mitigation and workarounds
Update Spring Cloud Gateway to version 3.1.1 or later for the 3.1.x branch, version 3.0.7 or later for the 3.0.x branch, or version 2.2.11.RELEASE or later for the 2.2.x branch. This can be done by updating the spring-cloud-gateway dependency in your Maven pom.xml or Gradle build.gradle file. After updating, rebuild and redeploy the application. The following versions include the necessary fixes: 3.1.1+, 3.0.7+, 2.2.11.RELEASE+.
As temporary workarounds: immediately disable the spring cloud gateway actuator endpoint if it is not required for operations. this can be done by setting 'management.endpoints.web.exposure.exclude=gateway' in application.properties or application.yml.; if the actuator endpoint must be enabled, restrict access to it using a web application firewall (waf), network-level firewalls, or reverse proxy authentication. ensure the /actuator/gateway/routes endpoint is only accessible from trusted administrative networks.; implement strong authentication for actuator endpoints using spring security with complex credentials or oauth2/oidc tokens. ensure 'management.endpoints.web.exposure.include' does not include 'gateway' unless absolutely necessary., and deploy spring cloud gateway behind a reverse proxy (such as nginx, apache, or cloud provider api gateway) that enforces authentication and authorization before allowing access to the actuator endpoint..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
