1

The CVE-2022-22963 - spring cloud function vulnerability was recently discovered and a simple fix was provided by the team here: cve-report-published-for-spring-cloud-function

We are getting spring-cloud-function-context:3.0.6 from spring-cloud-stream:3.0.4 by the following dependencies (our spring.boot.version is 2.2.6):

  • spring-cloud-services-starter-circuit-breaker:2.2.6
  • spring-cloud-bus:2.2.6 (including amqp/kafka)
  • spring-cloud-starter-stream-kafka:3.0.4
  • spring-cloud-starter-stream-rabbit:3.0.4

We are not using directly RoutingFunction, but afraid the libraries which brings spring-cloud-function-context/core via spring-cloud-stream, that I've mentioned above, might using RoutigFunction and exposes us to the vulnerability.

What is the preferred mitigation for us on this CVE?
Can we upgrade to spring-cloud-function version 3.1.7 without compatibility issues with our spring version?

Yuval Simhon
  • 1,439
  • 2
  • 19
  • 34

2 Answers2

1

First, spring-cloud-stream is not affected by the CVE you mention. It is only affecting spring-cloud-function if spring-cloud-function-web module is used.

As for the issue you are describing in your last comment (NCDFE) this can only happen if you are using old and incompatible versions of Stream and Functions.

So. . ., as Soby mentioned, 3.1 is EOL so you still have to upgrade.
You can upgrade the standard spring-boot way by updating spring-cloud BOM

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

Or you can manually change individual dependencies.

  • Spring Cloud Function - 3.2.6
  • Spring Cloud Stream - 3.2.4
Oleg Zhurakousky
  • 5,820
  • 16
  • 17
  • Could you please provide source code for : https://www.youtube.com/watch?v=oTTfaynD1Xc&t=639s? – PAA Aug 08 '22 at 15:30
0

Spring Cloud Function and Spring Cloud Stream 3.0.x versions are out of OSS/commercial support. Even for 3.1.x versions, they are out of OSS support, as seen from that chart in the links provided. The routing function issue is addressed in Spring Cloud Function 3.2.3 and 3.1.7 versions. Our recommendation is to manually upgrade to one of those versions for the module spring-cloud-function-context.

sobychacko
  • 5,099
  • 15
  • 26
  • If we can't upgrade immediate our spring cloud stream, it's still recommanded to upgrade the spring-cloud-function-context to version 3.2.3 / 3.1.7 and stay with spring-cloud-stream 3.0.x ? – Yuval Simhon Apr 12 '22 at 15:21
  • Yes, that is an approach you can try. Not sure if there are going to be compatibility issues, but worth a try. – sobychacko Apr 12 '22 at 15:23
  • Also, in the context of spring-cloud-stream, the probability of exploiting the aforementioned CVE is nearly impossible. – Oleg Zhurakousky Apr 19 '22 at 12:43
  • @sobychacko I tried to follow your suggestion and upgraded `spring-cloud-function-context` only to 3.1.7. It started throwing error `NoClassDefFoundError: org/springframework/cloud/function/core/FunctionInvocationHelper`. I then upgraded `spring-cloud-function-core` to also 3.1.7. Now it is throwing error `ClassNotFoundException: org.springframework.cloud.function.context.catalog.BeanFactoryAwareFunctionRegistry$FunctionInvocationWrapper`. I am using spring-boot 2.3.7 with spring 5.2.20. Any suggestion here? – tuk Jul 22 '22 at 05:27
  • That is because you are using an incompatible version of spring-cloud-stream probably. It is hard to say since you are not providing a stack trace. In any event s-c-function 3.1.x is only compatible with s-c-stream 3.1.x – Oleg Zhurakousky Aug 10 '22 at 09:51