Spring Cloud Function Remote Code Execution Vulnerability (Spring4Shell) (CVE-2022-22963)

Posted by Author Diksha Ojha on Posted on

Spring Cloud is an open-source microservices framework that consists of a set of ready-to-use components for developing different business applications. It’s extensively used across industries by a variety of businesses, and it comes pre-integrated with components from a variety of app providers. 
 
A high-severity remote code execution vulnerability (CVE-2022-22963) has been discovered in Spring Cloud Function. Successful exploitation of this vulnerability may lead to complete system compromise. 
 
The vulnerability is also being called “Spring4Shell” because of its Java-based nature and ease of exploitability like the Log4Shell vulnerability discovered in December.  
 
By using the routing functionality, attackers might use a specially crafted SpEL as a routing expression that could result in remote code execution and access to local resources.
 
Affected versions  
Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions are affected by this vulnerability. 
 
Mitigation  
Customers can upgrade to the latest Spring Cloud Function versions 3.1.7 and 3.2.3 to mitigate the vulnerability. For more information, please refer to the Spring Cloud security advisory 
 
Qualys Detection

QID Title Version Available for
376508 Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Authenticated) VULNSIGS-2.5.440-6/ lx_manifest-2.5.440.6-5 Scanner/Cloud Agent
730418 Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Unauthenticated Check) VULNSIGS-2.5.440-6 Scanner
48209 Spring Framework and Spring Boot JARs Spring Cloud JARs Detected Scan Utility VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 Scanner/Cloud Agent
376514 Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 Scanner/Cloud Agent
376520 Spring Cloud Function Remote Code Execution (RCE) Vulnerability Scan Utility VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 Scanner/Cloud Agent

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://tanzu.vmware.com/security/cve-2022-22963  
https://sysdig.com/blog/cve-2022-22963-spring-cloud/  
https://threatpost.com/critical-rce-bug-spring-log4shell/179173/  
https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function 

Leave a Reply

Your email address will not be published. Required fields are marked *