recently ,Spring Cloud Function The official test case was exposed Spring Cloud Function SPEL
Expression injection vulnerability , This vulnerability can be exploited through injection SPEL Expression to trigger remote command execution .
Spring Cloud Function Is based on Spring Boot
Function calculation framework . Transfer details and infrastructure through abstraction , Keep familiar development tools and processes for developers , Let developers focus on implementing business logic , So as to improve the development efficiency .
Spring Cloud Function Is a project with the following high-level objectives :
* Promote the implementation of business logic through functions .
* Separate the development life cycle of business logic from any specific runtime goals , So that the same code can be used as Web Endpoint , Stream processor or task running .
* Support a unified programming model across serverless providers , And independent operation ( Local or in PaaS in ) Ability of .
* Enable on serverless providers Spring Boot function ( Auto configuration , Dependency injection , index ).
It abstracts all transmission details and infrastructure , Allow developers to retain all familiar tools and processes , And focus on business logic .
at present ,Spring Cloud Function It has been adopted by many technology giants , include AWS Lambda,Azure,Google Cloud
Functions,Apache OpenWhisk, There may be others “ No server ” Service provider .
The vulnerability has been classified as serious ,CVSS Score 9.0( Full mark 10).
The good news is , only Spring Cloud Function Certain version specific configurations of ( edition 3 <= edition <= 3.2.2) Dynamic routing of is affected .
The bad news is SpEL There are various variants of expressions , for example charset and replace, also At the time of writing this article No new version has been officially released . in addition , For this critical vulnerability
Exploit Already in Internet Available on .
Technology
Daily Recommendation