CVE-2021-22044 Overview
CVE-2021-22044 is an information disclosure vulnerability affecting Spring Cloud OpenFeign, a declarative REST client for Spring Boot applications. Applications using type-level @RequestMapping annotations over Feign client interfaces can inadvertently expose endpoints corresponding to @RequestMapping-annotated interface methods. This misconfiguration flaw allows unauthorized network-based access to internal endpoints that were intended to remain private.
Critical Impact
Unintended exposure of internal API endpoints may allow attackers to access sensitive data or functionality that should not be publicly accessible, potentially leading to data breaches or unauthorized system access.
Affected Products
- VMware Spring Cloud OpenFeign 3.0.0 to 3.0.4
- VMware Spring Cloud OpenFeign 2.2.0.RELEASE to 2.2.9.RELEASE
- Older unsupported versions of Spring Cloud OpenFeign
Discovery Timeline
- 2021-10-28 - CVE-2021-22044 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-22044
Vulnerability Analysis
This vulnerability stems from improper handling of @RequestMapping annotations when applied at the type level on Feign client interfaces. Spring Cloud OpenFeign is designed to simplify HTTP API clients by allowing developers to define interfaces with Spring MVC annotations. However, when @RequestMapping is used at the class/interface level on a Feign client, the framework incorrectly registers these as web endpoints in the application context.
The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-668 (Exposure of Resource to Wrong Sphere). This means that internal service-to-service communication endpoints become accessible to external actors through the network, bypassing intended access controls.
Root Cause
The root cause lies in the framework's annotation processing logic. When Spring scans for @RequestMapping annotations to register HTTP endpoints, it does not properly distinguish between Feign client interfaces (which are meant for outbound requests) and actual controller classes (which should handle inbound requests). As a result, methods annotated with @RequestMapping on Feign interfaces are registered as accessible endpoints in the Spring Web context.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests to the unintentionally exposed endpoints. The attack requires network access to the vulnerable application and no authentication or user interaction is required. The exposed endpoints may reveal sensitive information, internal API responses, or configuration data depending on what the Feign client was designed to consume.
The vulnerability is exploited through standard HTTP requests to the application's exposed port. For example, if a Feign client interface has @RequestMapping("/internal-api") at the type level with methods like getUsers(), an attacker could directly access /internal-api/users from the application's web interface, receiving responses that were meant only for internal service communication.
Detection Methods for CVE-2021-22044
Indicators of Compromise
- Unexpected HTTP requests to endpoints that match Feign client interface method mappings
- Access logs showing requests to internal API paths from external IP addresses
- Authentication failures or unusual access patterns on service-to-service communication endpoints
- Elevated traffic to paths typically reserved for backend microservice communication
Detection Strategies
- Review application logs for requests to endpoints matching Feign client @RequestMapping paths
- Audit Spring Boot actuator endpoints (/mappings) to identify unexpectedly registered endpoints
- Implement anomaly detection for access to internal API paths from external sources
- Use application security scanning tools to enumerate exposed endpoints and compare against intended public API surface
Monitoring Recommendations
- Enable detailed access logging for all HTTP endpoints to detect unauthorized access attempts
- Monitor for unusual traffic patterns to paths containing internal API naming conventions
- Set up alerts for access to Feign client endpoint paths from non-internal IP ranges
- Regularly audit the application's endpoint registry using Spring Boot Actuator's /mappings endpoint
How to Mitigate CVE-2021-22044
Immediate Actions Required
- Upgrade Spring Cloud OpenFeign to version 3.0.5 or later for the 3.x branch
- Upgrade Spring Cloud OpenFeign to version 2.2.10.RELEASE or later for the 2.2.x branch
- Review all Feign client interfaces for type-level @RequestMapping annotations
- Remove type-level @RequestMapping annotations from Feign client interfaces as an immediate workaround
Patch Information
VMware has released patched versions addressing this vulnerability. Users should upgrade to Spring Cloud OpenFeign 3.0.5 or later for applications using the 3.x release train, or 2.2.10.RELEASE or later for applications on the 2.2.x release train. Detailed patch information is available in the VMware Security Advisory CVE-2021-22044.
Workarounds
- Remove type-level @RequestMapping annotations from Feign client interfaces and apply them at the method level instead
- Use @FeignClient path attribute instead of @RequestMapping at the type level to define base paths
- Implement network segmentation to restrict access to internal service endpoints
- Configure Spring Security to explicitly deny access to unintended endpoints
# Configuration example - use @FeignClient path attribute instead of @RequestMapping
# Before (vulnerable):
# @FeignClient(name = "user-service")
# @RequestMapping("/api/users")
# public interface UserClient { ... }
# After (secure):
# @FeignClient(name = "user-service", path = "/api/users")
# public interface UserClient { ... }
# Verify exposed endpoints using Spring Boot Actuator
curl http://localhost:8080/actuator/mappings | jq '.contexts.application.mappings.dispatcherServlets'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
