CVE-2022-22963 CRITICAL

Published: 2022-04-01 | Last Modified: 2025-10-30 | Status: Analyzed

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Additional Descriptions (1)

En Spring Cloud Function versiones 3.1.6, 3.2.2 y versiones anteriores no soportadas, cuando es usada la funcionalidad routing es posible que un usuario proporcione un SpEL especialmente diseñado como expresión de enrutamiento que puede resultar en la ejecución de código remota y el acceso a recursos locales

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Base Score: 7.5 (HIGH)

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	PARTIAL
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 6.4

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-94
[email protected]	Primary	en CWE-917

Affected Products

Vendor	Product	Version	Update	Type
vmware	spring_cloud_function	*	<built-in method update of dict object at 0x72a9cc7ee6c0>	Application
vmware	spring_cloud_function	*	<built-in method update of dict object at 0x72a9b0736040>	Application
oracle	banking_branch	14.5	<built-in method update of dict object at 0x72a9cc5759c0>	Application
oracle	banking_cash_management	14.5	<built-in method update of dict object at 0x72a9b0c3e800>	Application
oracle	banking_corporate_lending_process_management	14.5	<built-in method update of dict object at 0x72a9cc60df00>	Application
oracle	banking_credit_facilities_process_management	14.5	<built-in method update of dict object at 0x72a9cc60c800>	Application
oracle	banking_electronic_data_exchange_for_corporates	14.5	<built-in method update of dict object at 0x72a9cc7ed380>	Application
oracle	banking_liquidity_management	14.2	<built-in method update of dict object at 0x72a9b0737fc0>	Application
oracle	banking_liquidity_management	14.5	<built-in method update of dict object at 0x72a9cc7ef3c0>	Application
oracle	banking_origination	14.5	<built-in method update of dict object at 0x72a9cc60ea40>	Application
oracle	banking_supply_chain_finance	14.5	<built-in method update of dict object at 0x72a9b0735180>	Application
oracle	banking_trade_finance_process_management	14.5	<built-in method update of dict object at 0x72a9b0734140>	Application
oracle	banking_virtual_account_management	14.5	<built-in method update of dict object at 0x72a9cc41d1c0>	Application
oracle	communications_cloud_native_core_automated_test_suite	1.9.0	<built-in method update of dict object at 0x72a9cc556240>	Application
oracle	communications_cloud_native_core_automated_test_suite	22.1.0	<built-in method update of dict object at 0x72a9b0735980>	Application
oracle	communications_cloud_native_core_console	1.9.0	<built-in method update of dict object at 0x72a9cc575640>	Application
oracle	communications_cloud_native_core_console	22.1.0	<built-in method update of dict object at 0x72a9b0734840>	Application
oracle	communications_cloud_native_core_network_exposure_function	22.1.0	<built-in method update of dict object at 0x72a9cc7ee280>	Application
oracle	communications_cloud_native_core_network_function_cloud_native_environment	1.10.0	<built-in method update of dict object at 0x72a9b0736580>	Application
oracle	communications_cloud_native_core_network_function_cloud_native_environment	22.1.0	<built-in method update of dict object at 0x72a9e4154680>	Application
oracle	communications_cloud_native_core_network_function_cloud_native_environment	22.1.2	<built-in method update of dict object at 0x72a9cc5563c0>	Application
oracle	communications_cloud_native_core_network_repository_function	1.15.0	<built-in method update of dict object at 0x72a9b07344c0>	Application
oracle	communications_cloud_native_core_network_repository_function	22.1.0	<built-in method update of dict object at 0x72a9cc7ed240>	Application
oracle	communications_cloud_native_core_network_slice_selection_function	1.8.0	<built-in method update of dict object at 0x72a9b0c3d300>	Application
oracle	communications_cloud_native_core_network_slice_selection_function	22.1.0	<built-in method update of dict object at 0x72a9cc5755c0>	Application
oracle	communications_cloud_native_core_policy	1.15.0	<built-in method update of dict object at 0x72a9cc7ecdc0>	Application
oracle	communications_cloud_native_core_policy	22.1.0	<built-in method update of dict object at 0x72a9cc7ed900>	Application
oracle	communications_cloud_native_core_policy	22.1.3	<built-in method update of dict object at 0x72a9cc575cc0>	Application
oracle	communications_cloud_native_core_security_edge_protection_proxy	1.7.0	<built-in method update of dict object at 0x72a9b0737840>	Application
oracle	communications_cloud_native_core_security_edge_protection_proxy	22.1.0	<built-in method update of dict object at 0x72a9cc7ed680>	Application
oracle	communications_cloud_native_core_unified_data_repository	1.15.0	<built-in method update of dict object at 0x72a9cc7eda00>	Application
oracle	communications_cloud_native_core_unified_data_repository	22.1.0	<built-in method update of dict object at 0x72a9b0735900>	Application
oracle	communications_communications_policy_management	12.6.0.0.0	<built-in method update of dict object at 0x72a9b0736140>	Application
oracle	financial_services_analytical_applications_infrastructure	8.1.1.0	<built-in method update of dict object at 0x72a9cd0c3b80>	Application
oracle	financial_services_analytical_applications_infrastructure	8.1.2.0	<built-in method update of dict object at 0x72a9b07351c0>	Application
oracle	financial_services_behavior_detection_platform	8.1.1.0	<built-in method update of dict object at 0x72a9b0c99e40>	Application
oracle	financial_services_behavior_detection_platform	8.1.1.1	<built-in method update of dict object at 0x72a9b0736dc0>	Application
oracle	financial_services_behavior_detection_platform	8.1.2.0	<built-in method update of dict object at 0x72ab5932e4c0>	Application
oracle	financial_services_enterprise_case_management	8.1.1.0	<built-in method update of dict object at 0x72a9cc575900>	Application
oracle	financial_services_enterprise_case_management	8.1.1.1	<built-in method update of dict object at 0x72a9b07374c0>	Application
oracle	financial_services_enterprise_case_management	8.1.2.0	<built-in method update of dict object at 0x72a9b0734040>	Application
oracle	mysql_enterprise_monitor	*	<built-in method update of dict object at 0x72a9cc644d40>	Application
oracle	product_lifecycle_analytics	3.6.1.0	<built-in method update of dict object at 0x72a9b0c9a680>	Application
oracle	retail_xstore_point_of_service	20.0.1	<built-in method update of dict object at 0x72a9b0c99ac0>	Application
oracle	retail_xstore_point_of_service	21.0.0	<built-in method update of dict object at 0x72a9b0c99e00>	Application
oracle	sd-wan_edge	9.0	<built-in method update of dict object at 0x72a9cc647140>	Application
oracle	sd-wan_edge	9.1	<built-in method update of dict object at 0x72a9b0c99000>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:vmware:spring_cloud_function::::::::`
Yes	`cpe:2.3:a:vmware:spring_cloud_function::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:oracle:banking_branch:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_cash_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_electronic_data_exchange_for_corporates:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_liquidity_management:14.2:::::::*`
Yes	`cpe:2.3:a:oracle:banking_liquidity_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_origination:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:banking_virtual_account_management:14.5:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.2:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.3:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:communications_communications_policy_management:12.6.0.0.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:::::::*`
Yes	`cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:::::::*`
Yes	`cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::`
Yes	`cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1.0:::::::*`
Yes	`cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*`
Yes	`cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:::::::*`
Yes	`cpe:2.3:a:oracle:sd-wan_edge:9.0:::::::*`
Yes	`cpe:2.3:a:oracle:sd-wan_edge:9.1:::::::*`

References

http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
Source: [email protected]

Exploit Third Party Advisory VDB Entry
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
Source: [email protected]

Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22963
Source: [email protected]

Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
Source: [email protected]

Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: [email protected]

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Source: [email protected]

Patch Third Party Advisory
http://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory VDB Entry
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://tanzu.vmware.com/security/cve-2022-22963
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Source: af854a3a-2127-422b-91ae-364da2661108

Patch Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22963
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource