CVE-2021-22053 : Security Advisory and Response

Applications using both

spring-cloud-netflix-hystrix-dashboard

and

spring-boot-starter-thymeleaf

are vulnerable to code execution due to improper input validation. Attackers can exploit this vulnerability by submitting malicious data in the request URI path. This can lead to code execution through SpringEL expressions.

Understanding CVE-2021-22053

This CVE affects Spring Cloud Netflix versions prior to 2.2.10.Release + and unsupported old versions.

What is CVE-2021-22053?

Applications that use specific components expose a security flaw that allows attackers to inject and execute code by manipulating the request URI path. This vulnerability arises from the improper handling of user input.

The Impact of CVE-2021-22053

Exploiting this vulnerability can result in unauthorized code execution on affected systems. Attackers can leverage this to execute arbitrary commands and potentially compromise the application and underlying infrastructure.

Technical Details of CVE-2021-22053

Spring Cloud Netflix versions 2.2.x prior to 2.2.10.Release + and old unsupported versions are vulnerable to code injection through SpringEL expressions.

Vulnerability Description

The issue stems from the evaluation of user-provided data following the

/hystrix/monitor

path as SpringEL expressions. This can lead to code injection and execution within the application environment.

Affected Systems and Versions

Applications using the vulnerable versions of Spring Cloud Netflix are at risk. It is crucial to update to versions beyond 2.2.10.Release to mitigate this vulnerability.

Exploitation Mechanism

By manipulating the request URI path with malicious data, attackers can insert code that gets executed within the application context, bypassing normal security mechanisms.

Mitigation and Prevention

To protect your systems from CVE-2021-22053, immediate actions should be taken to secure the affected applications and prevent potential exploits.

Immediate Steps to Take

Upgrade to the patched versions of Spring Cloud Netflix, specifically versions 2.2.10.Release or newer, to address this vulnerability. Additionally, review and sanitize user input to prevent code injection attacks.

Long-Term Security Practices

Implement secure coding practices, input validation mechanisms, and regularly assess your applications for vulnerabilities to maintain a robust security posture.

Patching and Updates

Stay informed about security updates and patches released by the Spring Cloud Netflix project. Promptly apply relevant patches to ensure your applications are protected from known vulnerabilities.