CVE-2022-22963

VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

En Spring Cloud Function versiones 3.1.6, 3.2.2 y versiones anteriores no soportadas, cuando es usada la funcionalidad routing es posible que un usuario proporcione un SpEL especialmente diseñado como expresión de enrutamiento que puede resultar en la ejecución de código remota y el acceso a recursos locales

A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.

Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.

When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-03-29 First Exploit
2022-03-31 CVE Published
2022-08-25 Exploited in Wild
2022-09-15 KEV Due Date
2024-08-03 CVE Updated
2024-08-17 EPSS Updated

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (32)

URL	Tag	Source
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005	Third Party Advisory
https://github.com/hktalent/spring-spel-0day-poc
https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225

URL	Date	SRC
https://www.exploit-db.com/exploits/51577	2023-07-11
https://github.com/dinosn/CVE-2022-22963	2022-03-30
https://github.com/darryk10/CVE-2022-22963	2022-04-15
https://github.com/RanDengShiFu/CVE-2022-22963	2022-03-30
https://github.com/me2nuk/CVE-2022-22963	2022-04-01
https://github.com/Kirill89/CVE-2022-22963-PoC	2022-03-30
https://github.com/charis3306/CVE-2022-22963	2023-06-04
https://github.com/HenriV-V/Exploit-for-CVE-2022-22963	2023-06-29
https://github.com/iliass-dahman/CVE-2022-22963-POC	2023-01-22
https://github.com/lemmyz4n3771/CVE-2022-22963-PoC	2023-03-14
https://github.com/randallbanner/Spring-Cloud-Function-Vulnerability-CVE-2022-22963-RCE	2023-04-17
https://github.com/gunzf0x/CVE-2022-22963	2023-05-04
https://github.com/AayushmanThapaMagar/CVE-2022-22963	2022-04-01
https://github.com/dr6817/CVE-2022-22963	2022-11-25
https://github.com/G01d3nW01f/CVE-2022-22963	2023-03-12
https://github.com/Mustafa1986/CVE-2022-22963	2023-03-21
https://github.com/puckiestyle/CVE-2022-22963	2022-03-31
https://github.com/jrbH4CK/CVE-2022-22963	2024-07-30
https://github.com/SourM1lk/CVE-2022-22963-Exploit	2023-04-11
https://github.com/BearClaw96/CVE-2022-22963-Poc-Bearcules	2023-10-28
https://github.com/nikn0laty/RCE-in-Spring-Cloud-CVE-2022-22963	2023-05-26
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html	2024-08-03
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spring_cloud_function_spel_injection.rb	2022-03-29

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2024-06-28
https://www.oracle.com/security-alerts/cpujul2022.html	2024-06-28

URL	Date	SRC
https://tanzu.vmware.com/security/cve-2022-22963	2022-03-29
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH	2024-06-28
https://access.redhat.com/security/cve/CVE-2022-22963	2022-04-11
https://bugzilla.redhat.com/show_bug.cgi?id=2070668	2022-04-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Spring Cloud Function Search vendor "Vmware" for product "Spring Cloud Function"				<= 3.1.6 Search vendor "Vmware" for product "Spring Cloud Function" and version " <= 3.1.6"		-		Affected
Vmware Search vendor "Vmware"		Spring Cloud Function Search vendor "Vmware" for product "Spring Cloud Function"				>= 3.2.0 <= 3.2.2 Search vendor "Vmware" for product "Spring Cloud Function" and version " >= 3.2.0 <= 3.2.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Branch Search vendor "Oracle" for product "Banking Branch"				14.5 Search vendor "Oracle" for product "Banking Branch" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management"				14.5 Search vendor "Oracle" for product "Banking Cash Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Electronic Data Exchange For Corporates Search vendor "Oracle" for product "Banking Electronic Data Exchange For Corporates"				14.5 Search vendor "Oracle" for product "Banking Electronic Data Exchange For Corporates" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Liquidity Management Search vendor "Oracle" for product "Banking Liquidity Management"				14.2 Search vendor "Oracle" for product "Banking Liquidity Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Liquidity Management Search vendor "Oracle" for product "Banking Liquidity Management"				14.5 Search vendor "Oracle" for product "Banking Liquidity Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Origination Search vendor "Oracle" for product "Banking Origination"				14.5 Search vendor "Oracle" for product "Banking Origination" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.5 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.5 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Exposure Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"				22.1.2 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "22.1.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				22.1.3 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "22.1.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				1.7.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository"				22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "22.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Communications Policy Management Search vendor "Oracle" for product "Communications Communications Policy Management"				12.6.0.0.0 Search vendor "Oracle" for product "Communications Communications Policy Management" and version "12.6.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.1.1 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.1.1.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.1.1.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.1"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management"				8.1.2.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29"		-		Affected
Oracle Search vendor "Oracle"		Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics"				3.6.1.0 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				21.0.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "21.0.0"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge"				9.1 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.1"		-		Affected