intro

Spring Cloud Function is an open-source framework that allows developers to create and deploy serverless functions using Spring Boot and Spring Cloud. It provides a lightweight programming model for building applications that can be run on various serverless platforms, such as AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions. With Spring Cloud Function, developers can write functions in a variety of languages, including Java (red flag), Kotlin, Groovy, and JavaScript, and deploy them to serverless platforms without worrying about the underlying infrastructure. The framework also supports event-driven and reactive programming models, making it suitable for building real-time and scalable applications. In this case study, we are going to look into a vulnerabilit in Sprint Cloud Function.

CVE-2022-22963

If a user uses routing functionality in Spring Cloud Function versions 3.1.6, 3.2.2, or older unsupported versions, they could potentially provide a specially crafted SpEL as a routing-expression. This could result in remote code execution and access to local resources. CVE-2022-22963 permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.

An example exploit could look like this:

curl -i -s -k -X $'POST' -H $'Host: <target>:8080' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/test")' --data-binary $'exploit_poc' $'http://<target>:8080/functionRouter'

This allows the command touch /tmp/test to be run on the target host and result in RCE.

Mitigation

Upgrade to version 3.2.3 or later.