CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

2022-04-14 16:17:27

SUMMARY:

In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions — when using routing functionality — it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. NetCloud Manager utilizes Spring Cloud Function and was subsequently updated upon disclosure of the vulnerability.

 

---

 

Public Disclosure: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963

Vulnerability Status:

NetCloud Manager: Affected; Patched on April 1^st, 2022. No customer action necessary.

NetCloud OS: Unaffected; NCOS does not use Java libraries.

NetCloud Perimeter: Unaffected; NCP does not use the vulnerable version of Spring Cloud Function.