RCE 0-day Vulnerability found in Spring Cloud (SPEL)
Update: Spring team has published the CVE for Spring Cloud Function aka CVE-2022-22963: Spring Expression Resource Access Vulnerability. The Spring team has released Spring Cloud Function 3.1.7 & 3.2.3 to patch the Spring Expression Resource Access Vulnerability.
On analyzing, the main branch of the spring cloud function (commit dc5128b), a researcher found that the developer added SimpleEvaluationContext. Using the isViaHeadervariable as the flag, the value judged before parsing spring.cloud.function.routing-expression is taken from the HTTP header.
The spring.cloud.function.routing-expression parameter exists in the HTTP request header of accessing Spring Cloud Function, and its SpEL expression can be injected and executed through StandardEvaluationContext. This allows an attacker to use this vulnerability to perform remote command execution.
Currently, Spring Cloud Function has been adopted by many tech giants including AWS Lambda, Azure, Google Cloud Functions, Apache OpenWhisk, and possibly other "serverless" service providers. Initially, no new version has been officially released but lateron the Spring team released Spring Cloud Function 3.1.7 & 3.2.3 to patch the vulnerability.
What is Spring Cloud Function?
According to the official docs, Spring Cloud Function is a project with the following high-level goals:
- Promote the implementation of business logic via functions.
- Decouple the development lifecycle of business logic from any specific runtime target so that the same code can run as a web endpoint, a stream processor, or a task.
- Support a uniform programming model across serverless providers, as well as the ability to run standalone (locally or in a PaaS).
- Enable Spring Boot features (auto-configuration, dependency injection, metrics) on serverless providers.
It abstracts away all of the transport details and infrastructure, allowing the developer to keep all the familiar tools and processes, and focus firmly on business logic.
Also Read: Apache Log4j RCE Vulnerability
In short - Spring Cloud Function is a function computing framework based on Spring Boot. By abstracting transmission details and infrastructure, it retains familiar development tools and development processes for developers, allowing developers to focus on implementing business logic, thereby improving development efficiency.
Good and Bad Things
The vulnerability has been classified as Critical with a CVSS score of 9.0 out of 10.
The good news is that only the dynamic routing of some version-specific configurations of Spring Cloud Function (version 3 <= version <= 3.2.2) is been affected.
The bad news is there are various variants of SpEL expressions such as charset and replace. Additionally, an Exploit for this critical vulnerability is already available on the internet.