Overview
Spring Cloud Function contains a remote code execution vulnerability caused by unsafe evaluation of Spring Expression Language (SpEL) in the routing functionality. Attackers can execute arbitrary code by providing a crafted SpEL expression through the 'spring.cloud.function.routing-expression' property or HTTP header. This is a critical vulnerability that affects multiple versions of Spring Cloud Function across all supported platforms. The vulnerability was disclosed on April 1, 2022. CISA has identified CVE-2022-22963 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Spring Cloud Function versions up to 3.1.6 and 3.2.2 evaluate user-supplied input as Spring Expression Language (SpEL) expressions without proper sanitization in the routing functionality. The vulnerability exists in how the framework processes the 'spring.cloud.function.routing-expression' configuration property and corresponding HTTP headers. An unauthenticated attacker can craft a malicious SpEL expression to achieve remote code execution on the target system. The routing functionality uses SpEL to dynamically determine which function to invoke based on incoming requests, but fails to restrict the expression syntax, allowing attackers to execute arbitrary Java code.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code ('Code Injection')) , CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) andCWE-917 (Expression Language Injection) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated remote attacker can execute arbitrary code with the privileges of the application process. This leads to complete system compromise including: unauthorized access to sensitive data, modification or deletion of data, installation of malware, lateral movement within the network, and denial of service. The vulnerability can be exploited without authentication, making it trivially exploitable in internet-facing deployments.
Mitigation and workarounds
Upgrade Spring Cloud Function to version 3.1.7, 3.2.3, or later. For applications using Spring Cloud release trains, refer to the specific Spring Cloud version compatibility matrix. Update the dependency in your Maven pom.xml or Gradle build.gradle file and rebuild/redeploy the application. The following versions include the necessary fixes: 3.1.7, 3.2.3, 4.0 and later.
As temporary workarounds: disable or restrict access to the routing functionality by implementing network-level controls (firewall rules, web application firewall) to block access to vulnerable endpoints until patching is possible.; remove the 'spring.cloud.function.routing-expression' property from configuration if not required by the application., and implement reverse proxy or api gateway rules to validate and sanitize incoming requests before they reach the spring cloud function application..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
