CVE-2022-22947
Published: 03 March 2022
Summary
CVE-2022-22947 is a critical-severity Code Injection (CWE-94) vulnerability in Oracle Communications Cloud Native Core Network Repository Function. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-22947 is a code injection vulnerability affecting Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7. It arises when the Gateway Actuator endpoint is enabled, exposed, and left unsecured, allowing specially crafted requests to inject and execute arbitrary code due to improper handling of input in expression language evaluation (CWE-94 and CWE-917).
A remote attacker with no authentication can send a malicious HTTP request to the exposed actuator endpoint and achieve arbitrary remote code execution on the host with full confidentiality, integrity, and availability impact, as reflected in the CVSS 10.0 score.
Advisories from VMware Tanzu and Oracle list the fixed versions and urge operators to upgrade Spring Cloud Gateway to 3.1.1 or later (or 3.0.7 or later) while ensuring the actuator endpoint is not publicly reachable without proper access controls.
The EPSS score has reached a peak of 0.9755 with a current value of 0.9446, indicating sustained high exploitation interest after disclosure. Public proof-of-concept exploits have been posted to Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1288
Vulnerability details
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could…
more
allow arbitrary remote execution on the remote host.
- CWE(s)
- KEV Date Added
- 16 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization on the exposed Gateway Actuator endpoint so that unauthenticated attackers cannot submit malicious requests.
Requires disabling or restricting non-essential actuator endpoints and features, directly eliminating the attack surface described in the CVE.
Mandates prompt application of vendor patches that remove the code-injection flaw in Spring Cloud Gateway < 3.0.7/3.1.1.