CVE-2022-22963
Published: 01 April 2022
Summary
CVE-2022-22963 is a critical-severity Code Injection (CWE-94) vulnerability in Oracle Communications Cloud Native Core Network Function Cloud Native Environment. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-22963 is a remote code execution vulnerability affecting Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported releases. It occurs in the routing functionality when an attacker supplies a malicious Spring Expression Language (SpEL) expression as the routing-expression, which is then evaluated without adequate restrictions. The flaw is tracked under CWE-94 and CWE-917 and carries a CVSS 3.1 base score of 9.8.
Unauthenticated remote attackers can exploit the issue over the network by sending a crafted HTTP request containing the malicious SpEL payload. Successful exploitation grants arbitrary code execution on the server and access to local resources, with no user interaction or privileges required.
Public advisories from VMware Tanzu, Oracle, Cisco, and SonicWall describe the affected versions and direct users to upgrade to patched releases of Spring Cloud Function. Additional technical details and indicators are referenced in security bulletins linked from those vendors.
The CVE maintains very high EPSS scores, with a current value of 0.9446 and a recorded peak of 0.9755; public exploit code has also been posted to sites such as PacketStorm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1654
Vulnerability details
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to…
more
local resources.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input (including routing-expression parameters) to reject malicious SpEL payloads before they reach the expression parser.
Enforces disabling or restricting the routing functionality (an unneeded capability) so that SpEL expression evaluation is never exposed to untrusted input.
Mandates timely application of vendor patches that remove the unsafe SpEL routing path entirely from affected Spring Cloud Function versions.