Researchers discovered a code injection vulnerability in the Spring Cloud computing platform, which might lead to a remote attack. On March 28, information security firm NSFOCUS released a security alert outlining a Spring Cloud Function vulnerability that lets attackers “provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in access to local resources.”
VMWare Spring Cloud is an open-source set of developer projects spanning from service discovery to configuration management for distributed systems based on Spring. Spring Cloud Function is a project that abstracts all transport and infrastructure elements, enabling developers to focus on putting together business logic-based applications. The Spring Cloud project is present on GitHub.
According to NSFOCUS, the spring.cloud.function.routing-expression parameter in the request header triggers the vulnerability. When routing is used, this parameter is regarded as a SpEL expression. Expressions can be injected with Expression Language (EL) if they are not adequately safeguarded. Attackers may be able to access server-side material, interfere with functionality, hijack accounts, and more, depending on the severity of the EL injection.
The flaw is a SpEL injection in this case. The researchers disclosed that this Spring Cloud Function vulnerability, which has been assigned the number CVE-2022-22963 and is categorized as medium-severity, might lead to the remote execution of arbitrary code.
Versions 3.1.6, 3.2.2, and previous versions of the Spring Cloud Function are affected. The researchers have released information on the flaw and proof-of-concept (PoC) exploit code. According to a notification provided by Oleg Zhurakousky, users must update to Spring Cloud Function versions 3.1.7 or 3.2.3 to avoid security issues. At the time of writing, a patch has been committed. However, it doesn’t belong to a stable branch. In simple words, a fix is available for the next release but has yet to be implemented.