“VMWare Spring Cloud” Java bug allows instant remote code execution – update now! – Bare Security
VMWare Spring is an open-source Java toolkit for building powerful Java applications, including cloud-based applications, without having to write, maintain, worry about, or even figure out the “server” part of the process yourself.
If you’ve heard the term useless computerthen that’s the kind of programming environment he’s referring to: the overall system isn’t serverless (no client-server or cloud solution could be, after all), but the programmers responsible for the code of data processors may pretend that there aren’t any servers when designing and coding their applications.
Simply put, you let the surrounding ecosystem do the server-centric work of accepting network traffic, setting up TLS connections, parsing HTTP requests, extracting headers and input data, deciding who requests what from which, call the right “serverless code” (that’s where you come in!), aggregate the results, and send them back over the network to the request initiator.
You write the code that receives the inputs and calculates the results, without having to worry about whether the inputs originated locally, arrived through your own local network, or through the Internet.
You don’t need to worry about what type of server your code is running on, or even care about it: it could be your own server, configured and maintained by your IT colleagues; or a cloud instance hosted and running on a popular cloud service provider.
Spring cloud feature
Part of the Spring The ecosystem is a set of components called spring cloud through which you can connect Spring code directly to well-known cloud services from Alibaba, Amazon, Azure, Netflix and many more.
And there is a subcomponent in spring cloud called Spring cloud feature which lets you do so-called “functional” non-service programming, where you write the Java functions that get called when specific web requests arrive, without worrying about how the surrounding Spring system figured out your function was the right one to call.
Unfortunately, there is a dangerous bug called CVE-2022-22963also known as Spring Expression Resource Access Vulnerabilityin the Spring cloud feature making up.
If the person calling your Java function over the web (to look up a username in a database, for example, or to check if a specific SKU is in stock) inserts a specific HTTP header into their web request , and if that header contains Java code structured in the right way…
… then the source code in this header is running on the serverdirectly into the world of Spring Cloud servers.
In other words, simple unauthenticated Remote Code Execution (RCE).
Proof of concept (PoC) code is already readily available on the internet and demonstrates how to inject unauthorized Java code into incoming streams. Spring cloud function queries and how to use this code to run an unwanted program.
The PoCs we’ve seen so far have all just spawned a calculator app, which is more than enough to prove the point, but it looks like any command already installed on the server could easily be run.
This includes remotely triggering web download programs such as
curllaunching command shells such as
bashor even to do both in order to stealthily and quickly implant malware.
What to do?
If you use the Spring cloud function module in one of your services, immediately update the version 3.1.7 Where 3.2.3depending on whether you have version 3.1 or 3.2 of the module.