A recently revealed vulnerability in some versions of Spring Cloud, a component of the Spring framework for Java used as a component of cloud and web applications, is now being exploited by attackers to remotely execute code on servers running the framework.
The vulnerability, CVE-2022-22963, was announced on March 29 — along with a corresponding updated release of the framework. The disclosure comes on the heels of another remote code execution vulnerability (CVE-2022-22947) in Spring Cloud Gateway, patched earlier in March. As Sophos’ Paul Ducklin reported, there are already proof-of-concept exploits for the new vulnerability (CVE-2022-22963) publicly available.
The exploit uses crafted web requests based on the Spring Expression Language (SpEL) to inject Java code as part of Spring Cloud Function requests. The proof-of-concept versions of the exploit demonstrate how to use the exploit to run malicious software remotely on the Spring Cloud server.
Anyone using affected versions of Spring Cloud Function should upgrade to version 3.1.7 or 3.2.3, depending on their current version.
SophosLabs has released an IPS signature (XG: 2306989) for endpoint and firewall devices (ID) to detect and block this vulnerability. We continue to investigate other claimed exploits of Spring Core, and will update this report as more details become available.