NOTE: This post is about the confirmed and patched vulnerability tracked as CVE-2022-22963. While the researchers at Sysdig refer to this Spring Cloud bug as “Spring4Shell,” it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as “Spring4Shell.” To avoid confusion, this post has been amended to take out references to Spring4Shell altogether.
A concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.
Some researchers have noted that because of its ease of exploit and Java-based nature, it’s reminiscent of the Log4Shell vulnerability discovered in December.
“[This] is another in a series of major Java vulnerabilities,” Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. “It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.”
The bug (CVE-2022-22963) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a Tuesday advisory from VMware. Users should update to 3.1.7 and 3.2.3 in order to implement a patch.
Why Such a Low CVSS Score?
While it carries a medium-severity score of 5.4 on the CVSS scale, researchers warned not to underestimate the bug’s impact.
“VMware is using the CVSSv3 base metric ‘CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L.’ This is underrepresenting the confidentiality, integrity and availability impacts of this vulnerability,” Sysdig researchers Nick Lang and Jason Avery told Threatpost. “This vulnerability allows an attacker to open a reverse shell in the context of the Spring Cloud service, which may be as root. The impacts are all high and do not require user interaction, which gives this CVE a critical rating.”
They added, “In our testing, we verified that user interaction is not required to leverage the CVE-2022-22963 vulnerability to gain unauthorized access.”
Satnam Narang, staff research engineer, Tenable, agrees with the assessment that the CVSS score may not be reflective of the true impact of the issue.
“Because the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, it appears that the CVSSv3 score might not reflect the actual impact of this flaw,” he said via email.
Paul Ducklin, principle research scientist at Sophos, noted that it alarmingly allows for “instant RCE.”
“My recommendation is simple, and doesn’t need a score: Patch against CVE-2022-22693 because it’s attracting lots of interest, and proof-of-concept code is readily available, so why be behind when you could so easily be ahead?” he told Threatpost.
Widescale Consequences Set to Sprout
Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It’s widely used across industries by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.
As such, its footprint is concerning, according to Sysdig.
“Spring is…used by millions of developers using Spring Framework to create high-performing, easily testable code,” Chierici said. “The Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.”
He added, “Since Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well…leading the attackers inside your cloud account.”
The CVE-2022-22963 Bug in Bloom
According to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app’s HTTP service.
“Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,” Chierici explained. “The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.”
As such, unfortunately, an exploit is “quite easy to accomplish” using a simple curl command he noted:
curl -i -s -k -X $’POST’ -H $’Host: 192.168.1.2:8080′ -H $’spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\”touch /tmp/test”)’ –data-binary $’exploit_poc’ $’http://192.168.1.2:8080/functionRouter’
Sysdig published a PoC exploit on its GitHub page, and as noted, others are circulating.
“The PoCs we’ve seen so far have all simply popped up a calculator app, that being more than enough to prove the point, but it looks as though any command already installed on the server could easily be launched,” noted Ducklin, who refers to the bug as the “Spring Expression Resource Access Vulnerability” or “SPEL Vulnerability.”
He added, “This includes remotely triggering web downloader programs such as curl, launching command shells such as bash, or indeed doing both of those in sequence as a way of quietly and quickly implanting malware.”
Weeding Out Compromises
After applying the patch, anyone using applications built using Spring Cloud should take a careful inventory of their installations to make sure compromise hasn’t already occurred, according to Sysdig.
“Even though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts and post-breach activities in your environment,” Chierici said.
That detection can be done via image scanners or a runtime detection engine to suss out malicious behaviors in already-deployed hosts or pods, he noted.
“The best defense for this type of vulnerability is to patch as soon as possible,” according to Sysdig’s writeup. “Having a clear understanding of the packages being used in your environment is a must in today’s world.”
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.