VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability (CVE-2022-22963)
When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-09-15 under CISA BOD 22-01.
This is a Code Injection (CWE-94) vulnerability in VMware Tanzu Spring Cloud. In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.
📧
Phishing link
🖼
Malicious file
🔓
Server compromised
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
Get the fix
Apply the fixed package from your vendor. The advisory lists affected versions and the exact fixed build.
↗ Vendor advisoryManual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References
Related vulnerabilities
VMware vCenter Server < 7.0 — RCE
VMware vCenter Server
CVE-2021-21985
CRITICAL9.8VMware vCenter Server < 7.0 — RCE
VMware vCenter Server
CVE-2021-22005
CRITICAL9.8VMware ESXi and Horizon DaaS OpenSLP Heap-Based Buffer Overflow Vulnerability (CVE-2019-5544)
VMware VMware ESXi and Horizon DaaS
CVE-2019-5544