As described by NIST, in Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
The vulnerability was initially reported on March 29, 2022. Grafana Labs has reviewed our code base, issues, projects, vulnerabilities, libraries, and licenses, and we found no evidence that we have been impacted by the Spring4Shell vulnerability.
For more information and according to VMware, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).
CISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the Spring Cloud Function updates addressing CVE-2022-22963 and the Spring Framework updates addressing CVE-2022-22965. CISA also recommends reviewing VMWare Tanzu Vulnerability Report CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ and CERT Coordination Center (CERT/CC) Vulnerability Note VU #970766 for more information.
If you have any questions or concerns, please contact our Support team by opening a ticket from within your grafana.com portal page.
Reporting security issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
We maintain a category on the Grafana community site called Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. We also have a security category on our blog.
You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.