Spring Cloud Gateway Remote Code Execution Vulnerability (CVE-2022-22947) Alert

Spring Cloud Gateway Remote Code Execution Vulnerability (CVE-2022-22947) Alert

March 7, 2022 | Jie Ji

Overview

Recently, NSFOCUS CERT detected that Spring released a report to fix the Spring Cloud Gateway code injection vulnerability (CVE-2022-22947). Due to a flaw in the Actuator endpoint of Spring Cloud Gateway, when a user enables and exposes an insecure Gateway Actuator endpoint, Applications using Spring Cloud Gateway are vulnerable to code injection attacks. Unauthenticated attackers can achieve remote code execution by sending specially crafted SpEL expressions to the target system for injection. The CVSS score is 10. At present, the vulnerability PoC has been disclosed. Please take measures to protect it as soon as possible.

Spring Cloud Gateway is an API gateway based on Spring Framework and Spring Boot. The goal is to provide a simple, effective and unified API routing management method for microservice architecture.

Reference link: https://tanzu.vmware.com/security/cve-2022-22947

Scope of Impact

Affected version

  • Spring Cloud Gateway 3.1.0
  • 3.0.0 <= Spring Cloud Gateway <= 3.0.6
  • Other versions of Spring Cloud Gateway that are out of maintenance

Unaffected version

  • Spring Cloud Gateway >= 3.1.1
  • Spring Cloud Gateway >= 3.0.7

Vulnerability Detection

Manual check

Relevant users can check whether there is an Actuator endpoint that enables Spring Cloud Gateway externally in the Spring configuration file, for example: in application.properties, whether there is the following configuration. There is a security risk if it exists and the Spring Cloud Gateway version is in scope.

Vulnerability Mitigation

Official update

At present, the official security patch and new version have been released to fix the vulnerability. Please update the version for protection as soon as possible for affected users. The official download link: https://spring.io/blog/2022/02/18/spring-cloud-2021-0-1-has-been-released

Other methods

If the relevant user is temporarily unable to perform the update operation, the following measures can be used for temporary relief:

1. If the business does not need to use the Gateway actuator endpoint, it can be disabled by modifying the configuration file to management.endpoint.gateway.enabled: false.

2. If you need to use an actuator, you need to use Spring Security to protect it. For operations, please refer to the official guide:

https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator .endpoints.security

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.