Problem

-- Is API Gateway vulnerable to Zero-Day Vulnerability discovered in Java Spring Framework "Spring4Shell"?

https://spring.io/blog/2022/03/31/spring-framework...

https://tanzu.vmware.com/security/cve-2022-22965

https://www.lunasec.io/docs/blog/spring-rce-vulner...

https://www.rapid7.com/blog/post/2022/03/30/spring...

Resolution

* As of now none of the Spring vulnerabilities are exploitable with API Gateway:

CVE-2022-22965 - zero-day vulnerability in Spring4Shell

Spring Framework RCE, Early Announcement

NVD - CVE-2022-22965 (nist.gov)

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+.

API Gateway requires JDK 8, and not JDK 9+.

API Gateway does not invoke or provide filters and other services that may invoke the above Spring MVC and Spring WebFlux APIs, including RCE features.

API Gateway uses Spring to communicate with Cassandra, however the Spring vulnerabilities are not exploitable with Cassandra.

CVE-2022-22963 - the Spring Cloud vulnerability

CVE report published for Spring Cloud Function

NVD - CVE-2022-22963 (nist.gov)

API Gateway does not invoke or provide filters and other services that may invoke the Spring Cloud Function APIs.

CVE-2022-22950 - the Spring Expression DoS vulnerability

CVE report published for Spring Framework

NVD - CVE-2022-22950 (nist.gov)

API Gateway does not invoke or provide filters and other services that may invoke the Spring SpEL expressions.

CVE-2021-22096

CVE-2021-22096: Log Injection in Spring Framework | Security | VMware Tanzu

NVD - CVE-2021-22096 (nist.gov)

API Gateway does not invoke or provide filters and other services that may invoke Java APIs that accept user input.

* However scanning tools will report the vulnerabilities due to the module version in older API Gateway versions. This has been resolved for May 2022 and later releases via RDAPI-27028 by updating Spring and removing unnecessary and unused Spring components.