CVE-2022-22947
📋 TL;DR
CVE-2022-22947 is a critical remote code execution vulnerability in Spring Cloud Gateway when the Actuator endpoint is enabled and exposed without proper security controls. Attackers can send specially crafted requests to execute arbitrary commands on vulnerable servers. Organizations using Spring Cloud Gateway with Actuator endpoints exposed are affected.
💻 Affected Systems
- Spring Cloud Gateway
📦 What is this software?
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Console by Oracle
View all CVEs affecting Communications Cloud Native Core Console →
Communications Cloud Native Core Network Exposure Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Exposure Function →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Communications Cloud Native Core Security Edge Protection Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other internal systems.
Likely Case
Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware installation.
If Mitigated
No impact if Actuator endpoints are disabled or properly secured with authentication and network controls.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist. Attack requires no authentication when Actuator endpoint is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring Cloud Gateway 3.1.1+ or 3.0.7+
Vendor Advisory: https://tanzu.vmware.com/security/cve-2022-22947
Restart Required: Yes
Instructions:
1. Update Spring Cloud Gateway to version 3.1.1+ or 3.0.7+. 2. Update dependencies in your pom.xml or build.gradle. 3. Rebuild and redeploy the application. 4. Restart the service.
🔧 Temporary Workarounds
Disable Actuator endpoints
allDisable the Gateway Actuator endpoint in application configuration
management.endpoint.gateway.enabled=false
management.endpoints.web.exposure.exclude=gateway
Secure Actuator endpoints
allEnable authentication and restrict access to Actuator endpoints
spring.security.user.name=admin
spring.security.user.password=strongpassword
management.endpoints.web.base-path=/internal
🧯 If You Can't Patch
- Disable Gateway Actuator endpoint completely in application configuration
- Implement network segmentation and firewall rules to restrict access to Actuator endpoints
🔍 How to Verify
Check if Vulnerable:
Check if Spring Cloud Gateway version is below 3.1.1 or 3.0.7 and if Actuator endpoints are enabled and accessible.Check Version:
Check pom.xml or build.gradle for spring-cloud-starter-gateway dependency versionVerify Fix Applied:
Verify Spring Cloud Gateway version is 3.1.1+ or 3.0.7+ and test that Actuator endpoints are either disabled or properly secured.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /actuator/gateway/routes endpoint
- Commands being executed via SpEL expressions
- Unauthorized access attempts to management endpoints
Network Indicators:
- HTTP POST requests to /actuator/gateway/routes with malicious payloads
- Outbound connections from Spring Cloud Gateway to suspicious IPs
SIEM Query:
source="spring-cloud-gateway" AND (uri_path="/actuator/gateway/routes" OR uri_path="/actuator/gateway/refresh")🔗 References
- http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- https://tanzu.vmware.com/security/cve-2022-22947
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://packetstormsecurity.com/files/166219/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/168742/Spring-Cloud-Gateway-3.1.0-Remote-Code-Execution.html
- https://tanzu.vmware.com/security/cve-2022-22947
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22947
