CVE-2022-22963
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of Spring Cloud Function. Attackers can craft malicious SpEL expressions in routing functionality to achieve remote code execution and access local resources. Organizations using Spring Cloud Function 3.1.6, 3.2.2, or older unsupported versions are affected.
💻 Affected Systems
- Spring Cloud Function
📦 What is this software?
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Electronic Data Exchange For Corporates by Oracle
View all CVEs affecting Banking Electronic Data Exchange For Corporates →
Banking Trade Finance Process Management by Oracle
View all CVEs affecting Banking Trade Finance Process Management →
Banking Virtual Account Management by Oracle
View all CVEs affecting Banking Virtual Account Management →
Communications Cloud Native Core Automated Test Suite by Oracle
View all CVEs affecting Communications Cloud Native Core Automated Test Suite →
Communications Cloud Native Core Automated Test Suite by Oracle
View all CVEs affecting Communications Cloud Native Core Automated Test Suite →
Communications Cloud Native Core Console by Oracle
View all CVEs affecting Communications Cloud Native Core Console →
Communications Cloud Native Core Console by Oracle
View all CVEs affecting Communications Cloud Native Core Console →
Communications Cloud Native Core Network Exposure Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Exposure Function →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Repository Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Repository Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Communications Cloud Native Core Network Slice Selection Function by Oracle
View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Security Edge Protection Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →
Communications Cloud Native Core Security Edge Protection Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Communications Policy Management by Oracle
View all CVEs affecting Communications Communications Policy Management →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Behavior Detection Platform by Oracle
View all CVEs affecting Financial Services Behavior Detection Platform →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
Financial Services Enterprise Case Management by Oracle
View all CVEs affecting Financial Services Enterprise Case Management →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, and pivot to other systems in the network.
Likely Case
Remote code execution leading to data theft, service disruption, and potential lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though exploitation could still cause service disruption.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist, and the vulnerability is actively exploited in the wild. No authentication is required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring Cloud Function 3.1.7 and 3.2.3
Vendor Advisory: https://tanzu.vmware.com/security/cve-2022-22963
Restart Required: Yes
Instructions:
1. Update Spring Cloud Function to version 3.1.7 or 3.2.3. 2. Update dependencies in your project configuration (pom.xml or build.gradle). 3. Rebuild and redeploy the application. 4. Restart all affected services.
🔧 Temporary Workarounds
Disable routing functionality
allIf routing functionality is not required, disable it to prevent exploitation.
spring.cloud.function.routing.enabled=false
Input validation filter
allImplement a filter to reject requests containing SpEL expressions in routing parameters.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy web application firewall (WAF) rules to block malicious SpEL expressions
🔍 How to Verify
Check if Vulnerable:
Check Spring Cloud Function version in your application dependencies. If using 3.1.6, 3.2.2, or older versions, you are vulnerable.Check Version:
Check pom.xml for <spring-cloud-function.version> or build.gradle for springCloudFunctionVersionVerify Fix Applied:
Verify that Spring Cloud Function version is 3.1.7 or 3.2.3 in your dependencies after update.📡 Detection & Monitoring
Log Indicators:
- Unusual SpEL expressions in routing parameters
- Unexpected process execution from Spring application
- Error logs containing SpEL parsing exceptions
Network Indicators:
- HTTP requests with crafted routing-expression parameters
- Outbound connections from Spring applications to unexpected destinations
SIEM Query:
source="spring-app" AND (message="*SpEL*" OR message="*routing-expression*")🔗 References
- http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- https://tanzu.vmware.com/security/cve-2022-22963
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- https://tanzu.vmware.com/security/cve-2022-22963
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963
