RCE 0-day Vulnerability found in Spring Cloud (SPEL)

Spring Cloud Function SPEL Remote Command Execution Vulnerability and Exploit released.

Spring cloud Function RCE

Update: Spring team has published the CVE for Spring Cloud Function aka CVE-2022-22963: Spring Expression Resource Access Vulnerability. The Spring team has released Spring Cloud Function 3.1.7 & 3.2.3 to patch the Spring Expression Resource Access Vulnerability. 

Recently, the Spring Cloud Function official test case exposed the Spring Cloud Function SPEL expression injection vulnerability, which can leverage to trigger remote command execution by injecting SPEL expressions.

On analyzing, the main branch of the spring cloud function (commit dc5128b), a researcher found that the developer added SimpleEvaluationContext.  Using the isViaHeadervariable as the flag, the value judged before parsing spring.cloud.function.routing-expression is taken from the HTTP header

The spring.cloud.function.routing-expression parameter exists in the HTTP request header of accessing Spring Cloud Function, and its SpEL expression can be injected and executed through StandardEvaluationContext. This allows an attacker to use this vulnerability to perform remote command execution.

Currently, Spring Cloud Function has been adopted by many tech giants including  AWS Lambda, Azure, Google Cloud Functions, Apache OpenWhisk, and possibly other "serverless" service providers. Initially, no new version has been officially released but lateron the Spring team released Spring Cloud Function 3.1.7 & 3.2.3 to patch the vulnerability.

Spring cloud RCE Exploit

What is Spring Cloud Function?

According to the official docs, Spring Cloud Function is a project with the following high-level goals:

  • Promote the implementation of business logic via functions.
  • Decouple the development lifecycle of business logic from any specific runtime target so that the same code can run as a web endpoint, a stream processor, or a task.
  • Support a uniform programming model across serverless providers, as well as the ability to run standalone (locally or in a PaaS).
  • Enable Spring Boot features (auto-configuration, dependency injection, metrics) on serverless providers.

It abstracts away all of the transport details and infrastructure, allowing the developer to keep all the familiar tools and processes, and focus firmly on business logic.

Also ReadApache Log4j RCE Vulnerability

In short - Spring Cloud Function is a function computing framework based on Spring Boot. By abstracting transmission details and infrastructure, it retains familiar development tools and development processes for developers, allowing developers to focus on implementing business logic, thereby improving development efficiency.

Good and Bad Things

The vulnerability has been classified as Critical with a CVSS score of 9.0 out of 10. 

The good news is that only the dynamic routing of some version-specific configurations of Spring Cloud Function (version 3 <= version <= 3.2.2)  is been affected.  

The bad news is there are various variants of SpEL expressions such as charset and replace. Additionally, an Exploit for this critical vulnerability is already available on the internet.

CVE published for Spring Cloud Function
Read Also
3 comments
  1. Unknown
    NO!
    Our lab found that the default configuration can be attacked, no specific configuration is required.
    • Admin
      Please share your details and poc here or https://www.cyberkendra.com/p/contact-us.html
      Here
  2. Anonymous
    The CVE has been published on March 29 - https://tanzu.vmware.com/security/cve-2022-22963 with the fix in place and available in spring-cloud-function 3.1.7 and 3.2.3.