skout-blog

Cybersecurity Threat Advisory 0025-22: Vulnerability in Spring Cloud Function Can Trigger Remote Code Execution Attacks

Threat Update

A newly discovered critical vulnerability in Spring Cloud function (tracked as CVE-2022-22963), a Spring module used for streamlining data processing. This vulnerability can allow an unauthenticated remote attacker to send a specially crafted HTTP header to Spring Cloud function to execute arbitrary code. There has been a patch released to mitigate this security risk, and Barracuda MSP’s SOC recommends updating immediately.

Technical Detail & Additional Information

WHAT IS THE THREAT?

The Spring Cloud function vulnerability, once exploited by way of a Java app’s HTTP service, can give threat actors access to the host’s network via remote code execution (RCE). According to security researchers, the vulnerability allows threat actors to exploit an HTTP request header in the Spring Cloud function framework and a class in the Java programming language to compromise a host and execute arbitrary code on the target device.

WHY IS IT NOTEWORTHY?

Spring Cloud function is an open-source framework that provides tools for developers to swiftly build common patterns in distributed systems like intelligent routing and configuration management. This can be deployed to build serverless framework which can be used by cloud serverless functions on many cloud platforms.

WHAT IS THE EXPOSURE OR RISK?

Cloud services such as AWS Lambda and Google Cloud Functions can utilize the Spring Cloud function framework and are vulnerable to this exploit as a result. A successful exploitation of this vulnerability can lead to a takeover of your public cloud accounts. The dangerous nature of the vulnerability itself is compounded by how easy it is for anyone to exploit.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP’s SOC recommends the following actions to limit the impact of this vulnerability:

  • Apply patch provided in upgraded versions 3.1.7, 3.2.3.
  • Be aware of your installations to ensure compromise hasn’t already occurred.
  • Detect any exploitation attempts and post-breach activities in your environment by image scanners or a runtime detection engine to discover malicious behaviors in the already-deployed host environment by way of SKOUT EDR.
  • Have a clear understanding of the packages being used in your environment.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Threat Advisory Sign Up