Skip to content

Serverless Function Security for Spring-Related Attacks | Supply Chain Attack Protection

    
Serverless Function Security for Spring-Related Attacks | Supply Chain Attack Protection

Another weakness in the supply chain puts thousands of organizations at risk for cyber attacks.

In December 2021, we witnessed a hugely impactful application security event with Log4Shell. It was a vulnerability that exploited a weakness in a common Java Library, Log4j. Just a few months have passed and we are now looking at another wide-impact vulnerability which exploits a weakness in the very popular open-source Java framework, Spring.

According to our data at Contrast Security, almost three out of four applications developed in Java make use of this framework. While it is very common on traditional web applications and web servers such as Apache Tomcat, it can again appear in less expected application architectures, such as AWS Serverless. Even without a “Server”, applications could still be using Spring framework with cloud functions.

So again, we’ve decided to “try this at home” and we used our popular Serverless environment, AWS Lambda functions, to check whether this environment could also be at risk for a related vulnerability, Spring Cloud Function SpEL Injection (CVE-2022-22963). Unlike for the Log4j vulnerability (CVE-2021-44228), for which AWS immediately released a hot-patch, we did not see any mitigation provided by AWS this time.

For the vulnerable code, we used the open-source project: https://github.com/rieckpil/blog-tutorials/tree/master/serverless-java-aws-examples/spring-cloud-function-aws  and with slight modifications, we made it work on an AWS Lambda function. In the video below, Paolo Spagli and Matteo Rosi, Security Researchers in the Cloud Native team at Contrast Security show how they exploited a Lambda function using the Spring Cloud Function RCE vulnerability (SpEL injection), stealing the function’s secret keys. 

HubSpot Video

 

Once extracted from the function, these keys can then be used by an attacker from his own computer to interact with other services and resources in the cloud environment owned by the organization.

Should you worry? Well, if your organization is running Java-based Lambda functions you should probably check if there is use of Spring framework during the development. But as always, Contrast Security always makes sure to be at the frontline and come up with a solution for you.

Our purpose-built security solution for AWS Lambda functions is already working on its ability to detect such vulnerabilities in your code, even before you deploy them into production. So you can go to sleep with a clear conscience.

The video below demonstrates Contrast Serverless Application Security detecting the vulnerability in a Lambda function.

HubSpot Video

 

With just three-clicks and less than five minutes, you could secure your entire AWS Serverless stack with Contrast Serverless Application Security. Keeping your Lambda functions safe, continuously, with zero configuration.

Tal Melamed, Senior Director, Cloud-Native Security Research, Contrast Security

Tal Melamed, Senior Director, Cloud-Native Security Research, Contrast Security