Tal Melamed, Senior Director, Cloud Native Security Research, Contrast Security
Subscribe to the Contrast Blog
By subscribing to our blog, you’ll stay up to date with the latest appsec news and DevOps best practices. You’ll also be informed about Contrast’s latest product news and exciting application security events.
Another weakness in the supply chain puts thousands of organizations at risk of cyber attacks.
In December 2021, we witnessed a high-impact application security event with Log4Shell. It was a vulnerability that exploited a weakness in a common Java library, Log4j. It’s only been a few months and now we’re seeing another high impact vulnerability that exploits a weakness in the very popular open source Java framework, Spring.
According to our Contrast Security data, almost three out of four applications developed in Java make use of this framework. While it is very common in traditional web applications and web servers like Apache Tomcat, it can reappear in less expected application architectures like AWS Serverless. Even without a “Server”, applications could still use the Spring Framework with cloud features.
So, again, we decided to “test this in house” and used our popular serverless environment, AWS Lambda functions, to check if this environment could also be at risk from a related vulnerability, Spring Cloud Function SpEL Injection (CVE-2022-22963). Unlike the Log4j vulnerability (CVE-2021-44228), for which AWS immediately released a hot patchwe did not see any mitigation provided by AWS this time.
For vulnerable code, we use the open source project: https://github.com/rieckpil/blog-tutorials/tree/master/serverless-java-aws-examples/spring-cloud-function-aws and with slight modifications, we made it work in an AWS Lambda function. In the video below, Paolo Spagli and Matteo Rosi, security researchers in Contrast Security’s Cloud Native team, show how they exploited a Lambda function using the Spring Cloud Function RCE vulnerability (SpEL injection), stealing the function’s secret keys.
Once mined from the function, an attacker can use these keys from their own computer to interact with other services and resources in the cloud environment owned by the organization.
Should you worry? Well, if your organization is running Java-based Lambda functions, you should probably check to see if the Spring Framework is used during development. But as always, Contrast Security always makes sure to be on the front lines and find a solution for you.
Our purpose-built security solution for AWS Lambda functions is already working on its ability to detect these types of vulnerabilities in your code, even before you deploy them to production. So you can go to sleep with a clear conscience.
The following video shows Contrast Serverless Application Security detecting the vulnerability in a Lambda function.
With just three clicks and less than five minutes, you can protect your entire AWS serverless stack with Contrast Serverless Application Security. Keeping your Lambda functions secure, continuously, without configuration.