Service Notices
Spring Cloud Gateway Code Injection Vulnerability (CVE-2022-22947)
Mar 04, 2022 GMT+08:00
I. Overview
Recently, VMware officially released a security notice, disclosing that Spring Cloud Gateway has a remote code execution vulnerability (CVE-2022-22947). If the Spring Cloud Gateway Actuator endpoint is enabled, exposed and unsecured, a remote attacker could make a maliciously crafted request to Spring Cloud Gateway applications to enable arbitrary remote execution on the remote host. The POC of this vulnerability has been disclosed showing that it is easy to be exploited and highly risky.
Spring Cloud Gateway is an API gateway built based on Spring Framework and Spring Boot. It provides a simple, yet effective way to route to APIs. If you are a Spring Cloud Gateway user, check your versions and implement timely security hardening.
References:
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
CVE-2022-22947: SPEL CASTING AND EVIL BEANS
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
3.1.x series: Spring Cloud Gateway < 3.1.1
3.0.x series: Spring Cloud Gateway < 3.0.7
Other old and unsupported Spring Cloud Gateway versions
Secure versions:
Spring Cloud Gateway >= 3.1.1
Spring Cloud Gateway >= 3.0.7
IV. Vulnerability Handling
1. This vulnerability has been fixed in an official version. If your service version falls into the affected range, upgrade it to the secure version.
https://github.com/spring-cloud/spring-cloud-gateway/tags
2. If the upgrade cannot be performed in a timely manner, refer to the official suggestions to mitigate the risk:
a. If the gateway actuator endpoint is not required, use the command management.endpoint.gateway.enabled=falseto disable it.
b. If the actuator endpoint is required, use Spring Security to protect it. For details, see the official description.
HUAWEI CLOUD WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.