Share

Information on CVE-2022-22963: Remote Code Execution in Spring Cloud Function

Customer Alert 20220401

What is CVE-2022-22963 about?

CVE-2022-22963 is a critical-severity vulnerability affecting Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions. When using routing functionality it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression as a routing-expression that may result in remote code execution and access to local resources.

 

Based on what we know now, can Waratek Java products remediate this vulnerability?

Yes. Waratek recommends enabling the ARMR Process Forking rule to prevent remote code execution via data binding and remediate CVE-2022-22963. A custom ARMR Remediation Patch will not be required and customers with the ARMR Process Forking rule already in place are currently secured against CVE-2022-22963.

 

Does the vulnerability impact any third party tools I use with Waratek solutions?

We strongly recommend that all customers check third party support and advisory sites. If you have any questions or concerns, you can also contact our Customer Support team at [email protected].

Non-Waratek customers should request a trial license or a live demonstration of Waratek’s protective agents.

 

About Waratek

Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Awards 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions.