Summary of vulnerability

Spring Cloud Function is a Functional Computing Framework (FaaS) based on Spring Boot. This project provides a common model for deploying function-based software on a variety of platforms, including FaaS like Amazon AWS Lambda (Function as a Service, Function as a service) platform. It abstractions out all transport details and infrastructure, allowing developers to retain all familiar tools and processes and focus on business logic.

Spring Cloud Function SpEL expression injection vulnerability exists in the default configuration from version 3.0.0 to the latest version 3.2.2(COMMIT DC5128B).

Vulnerability emersion

Select new project in IDEA, then select Spring Initializr, enter random project name, then select Java version and JDK version and click Next.

Select Spring Web and Function as dependencies and click Finish.

The loophole environment is built. Since the new version has not been officially released, the latest version 3.2.2 also has vulnerabilities. If you want to repeat this vulnerability after the official new version, you need to modify the version of Spring-cloud-function-Web in POM to 3.2.2, as shown below:

After confirming that the project has a buggy version of Spring-Cloud-function-Web, you can start the project directly without making any changes.

Then send the payload to the local port 8080.

Vulnerability analysis

Git commit record github.com/spring-clou… In the submission description, it is clearly stated that the RoutingFunction SpEL code injection vulnerability has been fixed, and you can see that only two files have been updated so far, one of which is for unit tests only.

The vulnerability location and relevant test Payload are clearly specified in the test case.

The test case shows that when sending a package to the Spring Cloud Function’s Web service, you can execute the command by adding an associated Header information followed by an SpEL expression.

In file org. Springframework. Cloud. The function. The context. The config. RoutingFunction, request to apply method, then call the route method, then to determine whether a particular header information is empty, If it is not empty, the functionFromExpression method is called.

SpEL is called to parse the routingExpression, resulting in SpEL expression injection.

Since the header is fully trusted in the logic, and the evalContext used to parse the SpEL expression uses the more powerful and dangerous StandardEcalutionContext

In the latest official patch file, you can see the addition of the headerEvalContext object, which corresponds to the SimpleEvaluationContext with minimal functionality.

A Boolean parameter isViaHead is added when the functionFromExpression method is called to determine whether the value is taken from the header of the message. If so, the SpEL expression is parsed using the headerEvalContext object.

Repair advice

At present, SpringCloud Function has been officially fixed for this vulnerability, but no official version has been released. You can take the latest repair code and recompile and package it for temporary repair. Moyun recommends that you back up data before upgrading to avoid data loss. The official patch reference address is github.com/spring-clou…

For more information, please follow the public account “Moyun Security” to focus on smarter network attack and defense.