top of page
Search

RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn


The security bug could crop up, so to speak, in any number of Java applications.


NOTE: This post is about the confirmed and patched vulnerability tracked as CVE-2022-22963. While the researchers at Sysdig refer to this Spring Cloud bug as “Spring4Shell,” it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as “Spring4Shell.” To avoid confusion, this post has been amended to take out references to Spring4Shell altogether.


A concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.


Some researchers have noted that because of its ease of exploit and Java-based nature, it’s reminiscent of the Log4Shell vulnerability discovered in December.


“[This] is another in a series of major Java vulnerabilities,” Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. “It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.”


Infosec Insiders Newsletter


The bug (CVE-2022-22963) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a Tuesday advisory from VMware. Users should update to 3.1.7 and 3.2.3 in order to implement a patch.


Why Such a Low CVSS Score?

While it carries a medium-severity score of 5.4 on the CVSS scale, researchers warned not to underestimate the bug’s impact.


“VMware is using the CVSSv3 base metric ‘CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L.’ This is underrepresenting the confidentiality, integrity and availability impacts of this vulnerability,” Sysdig researchers Nick Lang and Jason Avery told Threatpost. “This vulnerability allows an attacker to open a reverse shell in the context of the Spring Cloud service, which may be as root. The impacts are all high and do not require user interaction, which gives this CVE a critical rating.”


They added, “In our testing, we verified that user interaction is not required to leverage the CVE-2022-22963 vulnerability to gain unauthorized access.”


Satnam Narang, staff research engineer, Tenable, agrees with the assessment that the CVSS score may not be reflective of the true impact of the issue.


“Because the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, it appears that the CVSSv3 score might not reflect the actual impact of this flaw,” he said via email.


Paul Ducklin, principle research scientist at Sophos, noted that it alarmingly allows for “instant RCE.”


“My recommendation is simple, and doesn’t need a score: Patch against CVE-2022-22693 because it’s attracting lots of interest, and proof-of-concept code is readily available, so why be behind when you could so easily be ahead?” he told Threatpost.


Widescale Consequences Set to Sprout

Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It’s widely used across industries by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.


As such, its footprint is concerning, according to Sysdig.


“Spring is…used by millions of developers using Spring Framework to create high-performing, easily testable code,” Chierici said. “The Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.”


He added, “Since Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well…leading the attackers inside your cloud account.”


The CVE-2022-22963 Bug in Bloom

According to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app’s HTTP service.


“Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,” Chierici explained. “The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.”


As such, unfortunately, an exploit is “quite easy to accomplish” using a simple curl command he noted:


curl -i -s -k -X $’POST’ -H $’Host: 192.168.1.2:8080′ -H $’spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\”touch /tmp/test”)’ –data-binary $’exploit_poc’ $’http://192.168.1.2:8080/functionRouter’


<CURL>


Sysdig published a PoC exploit on its GitHub page, and as noted, others are circulating.


“The PoCs we’ve seen so far have all simply popped up a calculator app, that being more than enough to prove the point, but it looks as though any command already installed on the server could easily be launched,” noted Ducklin, who refers to the bug as the “Spring Expression Resource Access Vulnerability” or “SPEL Vulnerability.”


He added, “This includes remotely triggering web downloader programs such as curl, launching command shells such as bash, or indeed doing both of those in sequence as a way of quietly and quickly implanting malware.”


Weeding Out Compromises

After applying the patch, anyone using applications built using Spring Cloud should take a careful inventory of their installations to make sure compromise hasn’t already occurred, according to Sysdig.


“Even though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts and post-breach activities in your environment,” Chierici said.


That detection can be done via image scanners or a runtime detection engine to suss out malicious behaviors in already-deployed hosts or pods, he noted.


“The best defense for this type of vulnerability is to patch as soon as possible,” according to Sysdig’s writeup. “Having a clear understanding of the packages being used in your environment is a must in today’s world.”


Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets by reaching out to us today! (888) 417-5155

 
 
 

コメント


We understand you may need help with more than just Managed IT Services. That’s why we’ve expanded our offerings. We’re happy to offer Managed IT Services – but we’re even happier to take the much-needed care of your business technology entirely off your plate. Ready to learn more about our competitive pricing and packages? ​Contact us today so we can schedule a free onsite Network Analysis and Risk Assessment of your network infrastructure, servers, and workstations.

LATEST BLOG

CONTACT US

UNDERSTANDING IT

Learn more about Unique Solutions and what we can offer for your business.

(888) 417-5155

Unique Solutions MSP, Inc.

South Western Idaho

372 S Eagle Rd., #305

Eagle ID, 83616

Southern California

31805 Temecula Parkway, #248

Temecula, CA 92592

IT can be a complicated thing - trust us, we know. With so much terminology and moving parts to keep track of, there are a lot of concepts that can be tricky to grasp without a little guidance. We’re here to provide this guidance with a few brief guides to key IT topics.

Login to view our member area, member forum, and Newsletters! 

bottom of page