A recently revealed vulnerability in some versions of Spring Cloud, a component of the Spring framework for Java used as a component of cloud and web applications, is now being exploited by attackers to remotely execute code on servers running the framework.
The vulnerability, CVE-2022-22963, was announced on March 29 — along with a corresponding updated release of the framework. The disclosure comes on the heels of another remote code execution vulnerability (CVE-2022-22947) in Spring Cloud Gateway, patched earlier in March. As Paul Ducklin reported on Naked Security, there are already proof-of-concept exploits for the new vulnerability (CVE-2022-22963) publicly available.
https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/
The exploit uses crafted web requests based on the Spring Expression Language (SpEL) to inject Java code as part of Spring Cloud Function requests. The proof-of-concept versions of the exploit demonstrate how to use the exploit to run malicious software remotely on the Spring Cloud server.
Anyone using affected versions of Spring Cloud Function should upgrade to version 3.1.7 or 3.2.3, depending on their current version.
SophosLabs has released a set of signatures for detection of these exploits :
Product | Signature IDs |
XG | 30790, 30791, 30792, 30793 |
EIPS | 2306990, 2307000 |
SG | 30790, 30791, 30792, 30793 |
Information on the impact of this vulnerability on Sophos products can be found in this article. At this time, no Sophos products are impacted by this vulnerability.