Skip to main content

Critical Spring Cloud Function Vulnerability

Overview

On March 29, 2022, a Critical Day 0 vulnerability was officially reported by Spring by VMware that affects Spring MVC and Spring WebFlux applications (CVE-2022-22963). This document describes the vulnerability, what Lacework is doing to provide you with the appropriate coverage, and what you should be doing to protect your organization.

important

Remediation
Upgrade Spring Cloud Function to 3.1.7, 3.2.3

What is the Spring Cloud Function RCE?

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

What has Lacework been doing to protect you since the vulnerability was announced?

As of March 31, 2022 at 8:30pm PT, all active container images for all customers have been re-evaluated for this vulnerability. If this vulnerability was identified in your environment, it appears as a Critical vulnerability (CVE-2022-22963) for all affected packages in your vulnerability dashboard, and Lacework recommends that you take action as soon as possible to remediate it.

This is how you can check for the vulnerability in container images

Under Vulnerabilities > Containers, select Group by Image ID and Advanced search CVE includes, CVE-2022-22963. If it’s not already selected, select Active in last 24 hours.

Detecting potential resulting exploits in run time

CVE-2022-22963 is a remote code execution (RCE) vulnerability and, at run time, exploits can be used to take complete control of applications as well as containers. However, an exploited workload will show signs of network activity from unknown servers or could show unusually heavier activity from known sources.

Lacework’s anomaly detection techniques allow customers to identify unusual network activities that can be investigated with the Polygraph visual representations, or through events originating from hosts or containers impacted by such vulnerabilities.

Lacework Labs will be monitoring for post-exploit activity, including historical data. We will provide specific recommendations to customers if a compromise is detected.

See The OAST with the most - Lacework, our most recent blog post on finding exploitable vulnerabilities in web applications.

It is critical that you upgrade Spring to the noted versions above to remediate this vulnerability.

References

VMware Advisory