Description

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected Spring Products and Versions

Spring Cloud Gateway
- 3.1.0
- 3.0.0 to 3.0.6
- Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required it should be secured using Spring Security, see https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security. Releases that have fixed this issue include:

Spring Cloud Gateway
- 3.1.1+
- 3.0.7+

Credit

This vulnerability was discovered and responsibly reported by Wyatt Dahlenburg.

History

2022-03-01: Initial vulnerability report published.

Reporting a vulnerability

The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.

To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.