CVE-2022-22963
VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
22Exploited in Wild
YesDecision
Descriptions
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
En Spring Cloud Function versiones 3.1.6, 3.2.2 y versiones anteriores no soportadas, cuando es usada la funcionalidad routing es posible que un usuario proporcione un SpEL especialmente diseñado como expresión de enrutamiento que puede resultar en la ejecución de código remota y el acceso a recursos locales
A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.
Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.
When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-10 CVE Reserved
- 2022-03-30 First Exploit
- 2022-03-31 CVE Published
- 2022-08-25 Exploited in Wild
- 2022-09-15 KEV Due Date
- 2024-08-03 CVE Updated
- 2024-11-05 EPSS Updated
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CAPEC
References (32)
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuapr2022.html | 2024-06-28 | |
https://www.oracle.com/security-alerts/cpujul2022.html | 2024-06-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vmware Search vendor "Vmware" | Spring Cloud Function Search vendor "Vmware" for product "Spring Cloud Function" | <= 3.1.6 Search vendor "Vmware" for product "Spring Cloud Function" and version " <= 3.1.6" | - |
Affected
| ||||||
Vmware Search vendor "Vmware" | Spring Cloud Function Search vendor "Vmware" for product "Spring Cloud Function" | >= 3.2.0 <= 3.2.2 Search vendor "Vmware" for product "Spring Cloud Function" and version " >= 3.2.0 <= 3.2.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Branch Search vendor "Oracle" for product "Banking Branch" | 14.5 Search vendor "Oracle" for product "Banking Branch" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.5 Search vendor "Oracle" for product "Banking Cash Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Electronic Data Exchange For Corporates Search vendor "Oracle" for product "Banking Electronic Data Exchange For Corporates" | 14.5 Search vendor "Oracle" for product "Banking Electronic Data Exchange For Corporates" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Liquidity Management Search vendor "Oracle" for product "Banking Liquidity Management" | 14.2 Search vendor "Oracle" for product "Banking Liquidity Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Liquidity Management Search vendor "Oracle" for product "Banking Liquidity Management" | 14.5 Search vendor "Oracle" for product "Banking Liquidity Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Origination Search vendor "Oracle" for product "Banking Origination" | 14.5 Search vendor "Oracle" for product "Banking Origination" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.5 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.5 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "1.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Console Search vendor "Oracle" for product "Communications Cloud Native Core Console" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Console" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Exposure Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Exposure Function" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 22.1.2 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "22.1.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" | 1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy" | 22.1.3 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "22.1.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" | 1.7.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.7.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 22.1.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "22.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Communications Policy Management Search vendor "Oracle" for product "Communications Communications Policy Management" | 12.6.0.0.0 Search vendor "Oracle" for product "Communications Communications Policy Management" and version "12.6.0.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | 8.1.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" | 8.1.2.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" | 8.1.1.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" | 8.1.1.1 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.1.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Behavior Detection Platform Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" | 8.1.2.0 Search vendor "Oracle" for product "Financial Services Behavior Detection Platform" and version "8.1.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management" | 8.1.1.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management" | 8.1.1.1 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.1.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Financial Services Enterprise Case Management Search vendor "Oracle" for product "Financial Services Enterprise Case Management" | 8.1.2.0 Search vendor "Oracle" for product "Financial Services Enterprise Case Management" and version "8.1.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor" | <= 8.0.29 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.29" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Product Lifecycle Analytics Search vendor "Oracle" for product "Product Lifecycle Analytics" | 3.6.1.0 Search vendor "Oracle" for product "Product Lifecycle Analytics" and version "3.6.1.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 21.0.0 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "21.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge" | 9.0 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Sd-wan Edge Search vendor "Oracle" for product "Sd-wan Edge" | 9.1 Search vendor "Oracle" for product "Sd-wan Edge" and version "9.1" | - |
Affected
|