Summary
In Spring Cloud Function it’s possible for users to invoke unintended functions that follow some arbitrary rules. In versions 3.2.6 and above a spring.cloud.function.ineligible-definitions configuration was introduced to mitigate the issue but it still requires the user to go over the unintended functions a user might run.
Product
Spring Cloud Function versions before 3.2.6.
Impact
The impact is highly dependent on the application context, and on the worse case could lead to RCE.
Steps to reproduce
- Run the following main function:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23public static void main(String[] args) {
Collection registeredBeans = new ArrayList<String>();
ApplicationContext context = SpringApplication.run(DemoApplication.class, args);
FunctionCatalog catalog = context.getBean(FunctionCatalog.class);
System.out.println("Num of Beans: " + context.getBeanDefinitionNames().length);
for (String functionName : context.getBeanDefinitionNames())
{
try
{
SimpleFunctionRegistry.FunctionInvocationWrapper function = (SimpleFunctionRegistry.FunctionInvocationWrapper)catalog.lookup(functionName);
if (function != null)
{
registeredBeans.add(functionName);
}
}
catch (Exception e)
{
}
}
System.out.println("Num of registered functions: " + registeredBeans.size());
System.out.println(registeredBeans);
} - The output will list all of the functions a user can call, there will be more than the application’s intention.
Expected result:
Unintended functions could be executed, the impact could vary.
Remediation
Update Spring Cloud Function to 3.2.6 or above, and use the configuration spring.cloud.function.ineligible-definitions to exclude unintended functions.
Credit
This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.