Researchers discovered a significant security vulnerability in the Spring Cloud Function allowing code injection attacks. While the vendors have fixed the bug, the patch awaits rollout in the stable release.
Spring Cloud Framework Vulnerability
According to the NSFOCUS CERT, a severe code injection vulnerability affected the Spring Cloud Function. Explaining the vulnerable framework in their advisory, NSFOCUS stated,
Spring Cloud Function is a Spring Boot-based functional computing framework that abstracts all transport details and infrastructure, allowing developers to keep all familiar tools and processes and focus on business logic.
Specifically, the researchers analyzed the computing framework and noticed a SPEL expression injection flaw, exploiting which could allow a remote attacker for code execution. The researchers easily reproduced the exploit, hence demonstrating the severity of the bug.
Describing the exact vulnerability, the advisory reads,
…the parameter “spring.cloud.function.routing-expression” in the request header is processed as a Spel expression by the apply method of the RoutingFunction class in Spring Cloud Function, resulting in a Spel expression injection vulnerability.
Exploiting this bug allows an attacker to execute arbitrary codes by providing a specially crafted SPEL as a routing expression.
NSFOCUS determined that the bug affects the Spring Cloud Function versions 3.0.0 to 3.2.2. It has received the ID CVE-2022-22963 and a medium severity rating with a
Patch Underway
After discovering the flaw, the researchers reported the matter to Spring Cloud Function developers. Consequently, the developers developed a fix.
However, the researchers confirmed that a stable rollout of the bug remains pending (until writing this story). According to the vulnerability report for this flaw, updating to Spring Cloud Function 3.1.7, 3.2.3.
Users should update to the latest releases and keep an eye on the stable rollout of the patch to avoid any exploits.
Let us know your thoughts in the comments.