Is Spring Cloud Gateway patched against CVE-2022-22947?

Send a crafted curl request within a SpEL expression that creates a new endpoint and executes code on the host. The created endpoint will be removed upon completion if the exploit is successful.

This week, we are releasing 3 TTPs:

  • Is CVE-2022-22947 patched on this host?
  • Is CVE-2022-29464 patched on this host?
  • Is CVE-2022-0543 patched on this host?

Is CVE-2022-22947 patched on this host?

Spring Cloud Gateway provides an effective way to route APIs, allowing administrators to define conditions where traffic can be proxied through the gateway to downstream applications. The Gateway Actuator endpoint provides built-in endpoints and enables the application administrators to add and delete routes.

This vulnerability allows unauthenticated arbitrary code execution via the Spring Cloud Gateway Actuator endpoint. Arbitrary code execution is an attack where an application unexpectedly runs user-supplied data as code.

Spring Cloud Gateway versions, before 3.1.1+ and 3.0.7+, are vulnerable to code injection attacks via the Gateway Actuator using SpEL (Spring Expression Language). The exploit works by sending the Gateway Actuator a HTTP POST request that creates a new endpoint. This request contains a SpEL expression that is executed by the application. The application will output the command result when visiting the URL of the newly created endpoint.

Testing

Execute Operator's CVE-2022-22947 TTP on each server running Spring Cloud Gateway in your environment to test if you are vulnerable.

The TTP will send a POST request to localhost using Spring Cloud Gateway's default port 9000. Depending on your configuration, you may need to adjust the predefined URL. The TTP will create a new endpoint with the name `prelude` and run the Linux command `id`. The TTP will check for the output of the `id` command to confirm if the exploit was successful.

Remediation

Users should upgrade Spring Cloud Gateway to 3.1.1 or newer. Users of 3.0.x should upgrade to 3.0.7 or newer. If the Gateway actuator endpoint is not needed, you should disable it via the setting: `management.endpoint.gateway.enabled: false`. If the actuator is required, it should be secured using Spring Security.

Check out the TTP “Is CVE-2022-22947 patched on this host?”

Is CVE-2022-29464 patched on this host?

This vulnerability allows unrestricted arbitrary file upload and remote code execution on various WSO2 products, such as API Manager. This vulnerability is the result of improper validation of user input. A malicious actor can upload an arbitrary file, such as a web shell, to gain remote code execution on the server. A web shell is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network.

Testing

Execute Operator's CVE-2022-29464 TTP on each instance running the affected versions of WSO2 products.

The TTP will attempt to upload a web shell called `prelude.jsp` to the API Manager's default web port 9443 on localhost. After running, the TTP will remove the web shell from the filesystem if the exploit is successful. Adjusting the URL in the TTP file may be necessary, depending on your configuration.

Remediation

WSO2 has published a security advisory with instructions for remediating the vulnerability.

Check out the TTP “Is CVE-2022-29464 patched on this host?”

Is CVE-2022-0543 patched on this host?

Redis is an open-source database developers use as a cache, streaming engine, and message broker in real-time applications that demand high-performance reads.

A vulnerability exists in Redis before redis/5:5.0.14-1+deb10u1, redis/5:5.0.3-4, and redis/5:6.0.15-1 that allows an attacker to execute arbitrary code through the `eval` command. The Lua engine sandbox typically prevents a Redis client from calling functions outside the scope of the Redis API. However, when Lua is loaded as a dynamic library on Debian-based distros, the sandbox automatically initializes and includes the package variable that allows access to exported functions. One of these exported functions enables the opening of new processes to execute arbitrary code.

Testing

Execute Operator's CVE-2022-0543 TTP on each host running a Redis server in your environment to test if you are vulnerable.

The TTP is configured to execute a Redis client command that exploits this vulnerability. No additional clean-up or action is required.

Remediation

Upgrade to the latest version of Redis. NIST has published a security advisory on the vulnerability.

Check out the TTP “Is CVE-2022-0543 patched on this host?”

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Is CVE-2022-22947 patched on this host?

Tactics