cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ADTSA-2022002: Remote code execution in Spring Cloud Function by malicious Spring Expression

ADTSA-2022002: Remote code execution in Spring Cloud Function by malicious Spring Expression

Description


In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.


CVE ID



Affected Products


Under investigation.  Affected products will be promptly added as each investigation is completed.


Unaffected Products


Product Family Products
ACI-E All products
ADTRAN OS IP Business Gateways, Routers, & Switches
  • NetVanta 1200 Series
  • NetVanta 1530 Series
  • NetVanta 1540 Series
  • NetVanta 1550 Series
  • NetVanta 1600 Series
  • NetVanta 3000 Series
  • NetVanta 4000 Series
  • NetVanta 5000 Series
  • NetVanta 6000 Series
  • Total Access 900/900e Series
Carrier Ethernet NIDs
  • NetVanta 800 Series
  • NetVanta 8000 Series
EPON OLTs
  • 9500 Series
  • FSU 7000 Series
  • SDX 6210-4
EPON ONUs
  • 1004
  • 6304W
  • 8001A
  • 8001B
  • FSU Series
Ethernet Service Delivery Gateways & Mesh APs (PlumeOS) All products
Ethernet Service Delivery Gateways & Mesh APs (SmartOS) All products
GPON, XGS-PON, & Active Ethernet ONUs
  • 300 Series (all generations)
  • 400 Series
  • SDX 600 Series
GPON & XGS-PON Service Delivery Gateways
  • SDG 814-v6
  • SDG 825-v6
  • SDX 822v
hiX All products
Mosaic Cloud Platform All products
Mosaic Cloud Platform Plugins All products
n-Command MSP All products
OPTI Series All products
SDX 6000 Series OLTs
  • SDX 6010-16
  • SDX 6020-48
  • SDX 6310-16
  • SDX 6320-16
SDX 8000 Series Aggregation Switches All products
SmartRG Ethernet Residential Gateways & Mesh APs
  • SE80ac
  • SR400ac
  • SR905ac
  • SR905acv
SmartRG VDSL2 Residential Gateways
  • SR506n
  • SR516ac
  • SR555ac
Total Access 1100 & 1200 Series All products
Total Access 5000 All products

Revision History


Revision Date Changes
B 2022-04-06 Added ACI-E, Ethernet Service Delivery Gateways & Mesh APs (PlumeOS), hiX, Mosaic Cloud Platform, and n-Command MSP as unaffected products. Updated EPON OLTs, Ethernet Service Delivery Gateways & Mesh APs (SmartOS), and Mosaic Cloud Platform Plugins.
A 2022-04-01 Initial release.
Version history
Revision #:
3 of 3
Last update:
‎04-06-2022 07:39 PM
Updated by:
 
Contributors