CVE-2022-22963

What is Spring Cloud Function?

Spring Cloud Function is a framework for implementing business logic as serverless functions in Java, enabling function-based programming across multiple runtimes — AWS Lambda, Azure Functions, GCP Cloud Functions, and Apache OpenWhisk. It supports routing HTTP requests to different function implementations based on routing expressions, making it a common abstraction layer in cloud-native serverless applications.

Overview

CVE-2022-22963 is a pre-authentication remote code execution vulnerability in Spring Cloud Function arising from Spring Expression Language (SpEL) injection via the spring.cloud.function.routing-expression HTTP header. An attacker can send any HTTP request to a Spring Cloud Function application with a malicious SpEL expression in this header, causing the server to evaluate arbitrary Java code. CVSS 9.8 (Critical). This CVE was disclosed on the same day as Spring4Shell (CVE-2022-22965), causing significant confusion in the security community — many initial reports conflated the two vulnerabilities. Both were quickly weaponized.

Affected Versions

Technical Details

Spring Cloud Function supports a routing feature that allows a single endpoint to dispatch requests to different function implementations based on a routing expression. This expression is passed via the spring.cloud.function.routing-expression HTTP header when using the RoutingFunction component.

The framework evaluates this header value as a SpEL expression. SpEL is a powerful expression language with access to Java reflection and the Spring application context — including the ability to execute system processes:

POST /functionRouter HTTP/1.1
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("id")

The expression T(java.lang.Runtime).getRuntime().exec(...) uses SpEL's type reference operator to access the Java Runtime class and execute OS commands. No authentication or prior state is required.

This is conceptually similar to CVE-2022-22947 (Spring Cloud Gateway SpEL injection) but affects a different component — Spring Cloud Function rather than Spring Cloud Gateway.

Discovery

Discovered and disclosed simultaneously with a cluster of Spring vulnerabilities in late March/April 2022. The exact discoverer is not definitively attributed in public advisories.

Exploitation Context

CVE-2022-22963 was disclosed on March 29, 2022, one day before Spring4Shell (CVE-2022-22965). Media coverage of "Spring RCE" often blurred the lines between these two CVEs, complicating incident response for many organizations.

Key exploitation characteristics:

• Single HTTP header: Trivial to exploit — just add one header to any POST request
• No credentials required: Works against any Spring Cloud Function deployment with RoutingFunction enabled
• Serverless deployments: Commonly deployed in AWS Lambda, Azure Functions, GCP Cloud Functions — cloud environments where function-level compromise can lead to credential theft via metadata services (IMDSv1)
• Rapid weaponization: PoC exploits appeared within hours; mass scanning observed within 24 hours

Attackers exploited this to drop cryptominers and establish footholds in cloud environments.

Remediation

1. Upgrade Spring Cloud Function: Update to 3.1.7 or 3.2.3.
2. Disable RoutingFunction if unused: If your application does not use the routing feature, disable it by removing spring.cloud.function.routing-expression from enabled configurations.
3. Input validation: As a defense-in-depth measure, implement WAF rules blocking requests with spring.cloud.function.routing-expression headers containing SpEL metacharacters (T(, exec, Runtime).
4. Review cloud metadata access: In cloud environments, ensure function IAM roles have minimal permissions — if exploited, attackers attempt to enumerate cloud credentials via IMDS.
5. Distinguish from Spring4Shell: If you received alerts for "Spring RCE" in early April 2022, confirm whether CVE-2022-22963 or CVE-2022-22965 (or both) are relevant to your environment — they require different fixes.