NOTE: While the researchers at Sysdig refer to this Spring Cloud bug as “Spring4Shell,” it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as “Spring4Shell.” Threatpost is reaching out for clarification and will update this post accordingly.
A concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.
Some researchers have dubbed it “Spring4Shell” due to its ease of exploit and Java-based nature, a la the Log4Shell vulnerability discovered in December.
“Spring4Shell is another in a series of major Java vulnerabilities,” Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. “It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.”
The bug (CVE-2022-22963) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a Tuesday advisory. Users should update to 3.1.7 and 3.2.3 in order to implement a patch.
Widescale Consequences Set to Sprout
Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It’s widely used across industries by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.
As such, its footprint is concerning, according to Sysdig.
“Spring is…used by millions of developers using Spring Framework to create high-performing, easily testable code,” Chierici said. “The Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.”
He added, “Since Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well…leading the attackers inside your cloud account.”
The CVE-2022-22963 Bug in Bloom
According to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app’s HTTP service.
“Using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,” Chierici explained. “The issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.”
As such, unfortunately, an exploit is “quite easy to accomplish” using a simple curl command he noted:
curl -i -s -k -X $’POST’ -H $’Host: 192.168.1.2:8080′ -H $’spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\”touch /tmp/test”)’ –data-binary $’exploit_poc’ $’http://192.168.1.2:8080/functionRouter’
Sysdig published a proof-of-concept (PoC) on its GitHub page.
Weeding Out Compromises
After applying the patch, anyone using applications built using Spring Cloud should take a careful inventory of their installations to make sure compromise hasn’t already occurred, according to Sysdig.
“Even though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts and post-breach activities in your environment,” Chierici said.
That detection can be done via image scanners or a runtime detection engine to suss out malicious behaviors in already-deployed hosts or pods, he noted.
“The best defense for this type of vulnerability is to patch as soon as possible,” according to Sysdig’s writeup. “Having a clear understanding of the packages being used in your environment is a must in today’s world.”
Updated at 4 p.m. ET on March 30, 2022, to reflect a revision in the bug’s severity assessment — it is no longer considered “critical.” Threatpost has reached out to sources to understand why.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.