CVE-2022-22947 Overview
CVE-2022-22947 is a critical code injection vulnerability affecting VMware Spring Cloud Gateway versions prior to 3.1.1 and 3.0.7. The vulnerability exists when the Gateway Actuator endpoint is enabled, exposed, and unsecured, allowing remote attackers to execute arbitrary code on the target system through maliciously crafted requests. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Critical Impact
Remote code execution with no authentication required, enabling complete system compromise through network-accessible Spring Cloud Gateway instances with exposed Actuator endpoints.
Affected Products
- VMware Spring Cloud Gateway versions prior to 3.1.1 (3.1.x branch)
- VMware Spring Cloud Gateway versions prior to 3.0.7 (3.0.x branch)
- Oracle Commerce Guided Search 11.3.2
- Oracle Communications Cloud Native Core Binding Support Function 1.11.0, 22.1.3
- Oracle Communications Cloud Native Core Console 22.2.0
- Oracle Communications Cloud Native Core Network Exposure Function 22.1.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment 1.10.0
- Oracle Communications Cloud Native Core Network Repository Function 1.15.0, 1.15.1, 22.1.2, 22.2.0
- Oracle Communications Cloud Native Core Network Slice Selection Function 1.8.0, 22.1.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy 22.1.1
- Oracle Communications Cloud Native Core Service Communication Proxy 1.15.0
Discovery Timeline
- 2022-03-03 - CVE-2022-22947 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2022-22947
Vulnerability Analysis
This vulnerability is classified as Code Injection (CWE-94) and Expression Language Injection (CWE-917). The flaw resides in Spring Cloud Gateway's handling of SpEL (Spring Expression Language) expressions within route filter definitions when processed through the Gateway Actuator endpoint. When the Actuator endpoint is enabled and exposed without proper authentication, attackers can inject and execute arbitrary SpEL expressions by submitting specially crafted route configurations.
The attack requires no prior authentication and can be performed entirely over the network without any user interaction. When successfully exploited, the attacker gains the ability to execute arbitrary code within the context of the application, potentially leading to complete system compromise.
Root Cause
The root cause of CVE-2022-22947 lies in insufficient validation of user-supplied input when processing route filter configurations through the Gateway Actuator API. Spring Cloud Gateway's dynamic routing feature allows administrators to add new routes via the Actuator endpoints. The vulnerability occurs because SpEL expressions embedded in route filter definitions are evaluated without proper sanitization, allowing attackers to inject malicious expressions that execute arbitrary Java code on the server.
Attack Vector
The attack vector involves sending malicious HTTP requests to the exposed Gateway Actuator endpoint. An attacker can exploit this vulnerability by:
- Sending a POST request to the /actuator/gateway/routes/{id} endpoint with a crafted route definition containing a malicious SpEL expression
- Triggering a refresh of the routes via the /actuator/gateway/refresh endpoint
- Accessing the newly created route to trigger execution of the injected code
- Optionally deleting the malicious route to cover their tracks
The vulnerability exploitation requires the Gateway Actuator endpoint to be enabled and accessible without authentication, which may occur due to misconfiguration or intentional exposure for administrative purposes.
Detection Methods for CVE-2022-22947
Indicators of Compromise
- Suspicious HTTP POST requests to /actuator/gateway/routes/* endpoints from external IP addresses
- Unusual process spawning from Java/Spring Boot application processes
- Network connections initiated by the Spring Cloud Gateway application to unexpected destinations
- Log entries showing route creation or modification with SpEL expression patterns such as #{T(java.lang.Runtime)}
Detection Strategies
- Monitor HTTP access logs for requests targeting /actuator/gateway/routes/ and /actuator/gateway/refresh endpoints
- Implement Web Application Firewall (WAF) rules to detect and block SpEL injection patterns in request bodies
- Deploy network-based intrusion detection systems (IDS) with signatures for known CVE-2022-22947 exploit patterns
- Analyze application logs for unexpected route creations or modifications
Monitoring Recommendations
- Enable detailed logging for Spring Cloud Gateway Actuator endpoints
- Configure SIEM alerts for unusual patterns of Actuator endpoint access
- Implement real-time monitoring of process execution chains originating from Java applications
- Monitor outbound network traffic from Spring Cloud Gateway instances for anomalous connections
How to Mitigate CVE-2022-22947
Immediate Actions Required
- Upgrade VMware Spring Cloud Gateway to version 3.1.1 or later (for 3.1.x branch) or 3.0.7 or later (for 3.0.x branch) immediately
- If immediate patching is not possible, disable or restrict access to the Gateway Actuator endpoint
- Review network configurations to ensure Actuator endpoints are not exposed to untrusted networks
- Conduct forensic analysis of systems that may have been exposed to determine if exploitation has occurred
Patch Information
VMware has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Spring Cloud Gateway 3.1.1 or later for the 3.1.x release branch
- Spring Cloud Gateway 3.0.7 or later for the 3.0.x release branch
For Oracle products incorporating Spring Cloud Gateway, refer to the Oracle Critical Patch Update April 2022 and Oracle Critical Patch Update July 2022 for specific remediation guidance.
Additional vendor resources:
Workarounds
- Disable the Gateway Actuator endpoint entirely by setting management.endpoint.gateway.enabled=false in application configuration
- Restrict Actuator endpoint access to trusted networks only using firewall rules or Spring Security configurations
- Implement authentication and authorization requirements for all Actuator endpoints
- Use network segmentation to prevent external access to management interfaces
# Configuration to disable Gateway Actuator endpoint in application.properties
management.endpoint.gateway.enabled=false
# Or restrict Actuator endpoints to specific management port
management.server.port=8081
management.server.address=127.0.0.1
# Spring Security configuration to require authentication for Actuator endpoints
management.endpoints.web.exposure.include=health,info
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
