CVE-2022-23463 Overview
CVE-2022-23463 is a critical Spring Expression Language (SpEL) Injection vulnerability affecting Nepxion Discovery, a popular solution for Spring Cloud microservices. The vulnerability exists in the discovery-commons component where the DiscoveryExpressionResolver's eval method evaluates expressions using a StandardEvaluationContext. This insecure configuration allows attackers to craft malicious expressions that can interact with Java classes such as java.lang.Runtime, ultimately leading to Remote Code Execution (RCE) on affected systems.
Critical Impact
Unauthenticated attackers can achieve Remote Code Execution by exploiting the SpEL injection vulnerability, potentially gaining complete control over affected Spring Cloud microservices infrastructure.
Affected Products
- Nepxion Discovery (all versions for Spring Cloud)
- discovery-commons component
- Spring Cloud deployments using Nepxion Discovery
Discovery Timeline
- 2022-09-24 - CVE-2022-23463 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23463
Vulnerability Analysis
The vulnerability stems from the unsafe use of Spring Expression Language (SpEL) evaluation within the Nepxion Discovery framework. SpEL is a powerful expression language that supports querying and manipulating objects at runtime. When SpEL expressions are evaluated using StandardEvaluationContext, they have full access to Java's reflection capabilities and can invoke arbitrary methods on any accessible class.
In this case, the DiscoveryExpressionResolver.eval() method processes user-controlled input without proper sandboxing. The StandardEvaluationContext provides unrestricted access to Java classes, allowing attackers to construct expressions that reference classes like java.lang.Runtime to execute system commands, or other dangerous classes to read/write files, establish network connections, or perform other malicious operations.
The vulnerability is classified under CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), which describes injection flaws specific to expression language interpreters. This attack vector is particularly dangerous in Spring Cloud environments where microservices may have elevated privileges or access to sensitive internal systems.
Root Cause
The root cause is the use of StandardEvaluationContext instead of SimpleEvaluationContext for SpEL expression evaluation. StandardEvaluationContext provides full access to Java types, constructors, and methods through reflection. When user-controlled data flows into expressions evaluated with this context, attackers can leverage SpEL's type reference syntax (T(className)) to access any Java class on the classpath and invoke methods, including those capable of executing arbitrary system commands.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send specially crafted HTTP requests or other input that reaches the vulnerable DiscoveryExpressionResolver.eval() method. By injecting malicious SpEL expressions, the attacker can:
- Access the java.lang.Runtime class using SpEL's type reference syntax
- Obtain a Runtime instance via Runtime.getRuntime()
- Execute arbitrary system commands using exec() method
- Establish reverse shells, download malware, or pivot to other internal systems
The vulnerability allows full command execution with the privileges of the Spring application process, which in containerized environments may have access to secrets, databases, and other microservices.
Detection Methods for CVE-2022-23463
Indicators of Compromise
- Unusual HTTP requests containing SpEL syntax patterns such as T(, java.lang.Runtime, or getRuntime() in request parameters or headers
- Unexpected process spawning from Java application processes, particularly shell interpreters (/bin/sh, cmd.exe)
- Network connections to unexpected external IP addresses originating from Spring Cloud application containers
- Log entries showing expression evaluation errors or unusual class loading activity
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing SpEL injection patterns like T(java.lang. or Runtime.getRuntime()
- Deploy runtime application self-protection (RASP) solutions to monitor and block dangerous method invocations within the JVM
- Enable detailed logging for Spring Cloud Discovery components to capture expression evaluation activity
- Use SentinelOne Singularity Platform to detect post-exploitation behavior such as unauthorized process creation and network reconnaissance
Monitoring Recommendations
- Monitor application logs for SpEL parsing exceptions or unusual expression evaluation patterns
- Track process creation events from Java application containers, particularly executions of shell interpreters or system utilities
- Alert on outbound network connections from Spring Cloud services to untrusted external addresses
- Implement network segmentation monitoring to detect lateral movement attempts from compromised microservices
How to Mitigate CVE-2022-23463
Immediate Actions Required
- Assess your environment for any deployments of Nepxion Discovery in Spring Cloud infrastructure
- Implement network-level controls to restrict access to affected services from untrusted networks
- Deploy WAF rules to filter incoming requests containing SpEL injection patterns
- Consider disabling or replacing the affected discovery-commons component if feasible
- Enable enhanced logging and monitoring on all Spring Cloud services using Nepxion Discovery
Patch Information
At the time of publication, there is no patch available for this vulnerability. Organizations should monitor the GitHub Security Advisory for updates on remediation options. In the absence of a vendor patch, implementing defense-in-depth measures and considering alternative service discovery solutions is recommended.
Workarounds
- No official workarounds are provided by the vendor at this time
- Implement strict input validation at the application gateway layer to sanitize expressions before they reach the vulnerable component
- Deploy network segmentation to limit exposure of affected services to trusted internal networks only
- Consider migrating to alternative Spring Cloud service discovery implementations that do not use StandardEvaluationContext for expression evaluation
- Apply the principle of least privilege to application service accounts to limit the impact of potential exploitation
# Example WAF rule pattern for ModSecurity to detect SpEL injection attempts
# Add to your WAF configuration
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS "@rx T\s*\(\s*java\.lang\.(Runtime|ProcessBuilder)" \
"id:100001,phase:2,deny,status:403,log,msg:'Potential SpEL Injection Attack Detected'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
