Vulnerability Details : CVE-2022-22963
Public exploit exists!
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Vulnerability category: Execute code
Products affected by CVE-2022-22963
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 22.1.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 22.1.2cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_branch:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_cloud_function:*:*:*:*:*:*:*:*
CVE-2022-22963 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Notes:
https://tanzu.vmware.com/security/cve-2022-22963; https://nvd.nist.gov/vuln/detail/CVE-2022-22963
Added on
2022-08-25
Action due date
2022-09-15
Exploit prediction scoring system (EPSS) score for CVE-2022-22963
94.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-22963
-
Spring Cloud Function SpEL Injection
Disclosure Date: 2022-03-29First seen: 2022-12-23exploit/multi/http/spring_cloud_function_spel_injectionSpring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression heade
CVSS scores for CVE-2022-22963
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-29 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-22963
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by:
- nvd@nist.gov (Primary)
- security@vmware.com (Secondary)
-
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-22963
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
Spring Cloud 3.2.2 Remote Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022Third Party Advisory
-
https://tanzu.vmware.com/security/cve-2022-22963
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression | Security | VMware TanzuVendor Advisory
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
Security AdvisoryThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to