Warning: RCE Bug in ‘Spring Cloud’ Could Be Like Log4Shell!

Warning: RCE Bug in ‘Spring Cloud’ Could Be Like Log4Shell!

A security vulnerability has been found in the Spring Cloud Function, which could lead to remote code execution (RCE) & the compromise of an entire internet-connected host.

The so-called ‘Spring4Shell’ bug could be hiding in any number of Java applications.

Some researchers have named it “Spring4Shell” due to its ease of exploit & Java-based nature, similar to the Log4Shell vulnerability discovered in Dec.

Java Vulnerabilities

“Spring4Shell is another in a series of major Java vulnerabilities,” Stefano Chierici, a Security Researcher at Sysdig, noted.

“It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install crypto-miners, distributed denial-of-service DDoS agents, or their remote-access toolkits.”

The bug (CVE-2022-22963) affects versions 3.1.6 & 3.2.2, as well as older, unsupported versions, according to a Tues. advisory. Users should update to 3.1.7 & 3.2.3 in order to implement a patch.

Consequences

Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It is widely used across industries by various companies & includes ready-made integration with components from various app providers, including Kubernetes & Netflix.

Its footprint is concerning, states Sysdig.

Spring Framework

“Spring is…used by millions of developers using Spring Framework to create high-performing, easily testable code,” Chierici observed. “The Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features.

These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.”

He added, “Since Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well…leading the attackers inside your cloud account.”

CVE-2022-22963 Bug

Revealed Sysdig, the vulnerability can be exploited over HTTP: Like Log4Shell, it just requires an attacker to send a malicious string to a Java app’s HTTP service.

“Using routing functionality, it is possible for a user to provide a special Spring Expression Language (SpEL) as a routing-expression to access local resources & execute commands in the host,” Chierici explained.

“The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter & SpEL expression to be injected & executed through StandardEvaluationContext.”

Curl Command

Unfortunately, an exploit is “quite easy to accomplish” using a simple curl command he noted:

curl -i -s -k -X $’POST’ -H $’Host: 192.168.1.2:8080′ -H $’spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\”touch /tmp/test”)’ –data-binary $’exploit_poc’ $’http://192.168.1.2:8080/functionRouter’

<CURL>

Sysdig published a proof-of-concept (PoC) on its GitHub page.

Compromises

After applying the patch, anyone using applications built using Spring Cloud should take careful stock of their installations to ensure compromise has not already occurred, explained Sysdig.

“Even though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts & post-breach activities in your environment,” Chierici observed.

That detection can be done via image scanners or a runtime detection engine to suss out malicious behaviours in already-deployed hosts or pods, he noted.

Patch

“The best defence for this type of vulnerability is to patch as soon as possible,” according to Sysdig’s writeup. “Having a clear understanding of the packages being used in your environment is a must in today’s world.”

NOTE: While the researchers at Sysdig refer to this Spring Cloud bug as “Spring4Shell,” it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as “Spring4Shell.”

 

 

SHARE ARTICLE