Back to overview

Threat intelligence

Code Injection in Spring Cloud: CVE-2024-37084

by Jordan Riddles

Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability.

CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, allowing them to write arbitrary files to any location on the server’s file system, potentially compromising the server. This vulnerability is assigned a CVSS score of 9.8 by VMware, indicating its critical nature. The flaw is associated with CWE-94, indicating improper control of code generation, which increases the risk of exploitation. Users of affected versions are strongly advised to upgrade to version 2.11.4 to mitigate this vulnerability. For more details, refer to the official advisory at Spring.io.

Technical Overview

Figure 1: Upload Method

The vulnerability is triggered when the Skipper server processes HTTP POST requests to its REST API on port 7577. The upload() method (Figure 1) handles package uploads by accepting a JSON object containing the packageFileAsBytes key, which holds a Base64-encoded ZIP file. Once uploaded, the ZIP file is unpacked, and the server deserializes a package.yaml file, which contains metadata about the package. The issue arises because the contents of the YAML file are processed without adequate validation. This allows attackers to embed harmful Java class constructors directly within the YAML structure, enabling arbitrary code execution by deserializing classes like javax.script.ScriptEngineManager which are commonly used for remote code execution.

A critical security flaw in Spring Cloud Skipper arises from the improper deserialization of YAML files using the standard YAML constructor. The root cause lies in the constructor’s failure to restrict the types of objects being created during the deserialization process, allowing attackers to provide malicious YAML data that could lead to remote code execution (RCE). This flaw is particularly dangerous because it enables attackers to craft specific YAML content that forces the application to instantiate arbitrary Java classes, bypassing security controls and executing harmful code.

The package.yaml file plays a central role in the exploitation, as it is deserialized using the SnakeYAML library’s yaml.load() method (Figure 2). The library allows special syntax like !!<java class constructor>, which permits the deserialization of any Java class constructor present in the YAML file. Without restrictions on what can be deserialized, attackers can execute untrusted code.

Figure 2: yaml.load

Triggering the Vulnerability

To trigger the CVE-2024-37084 vulnerability, an attacker crafts a malicious YAML file containing specific Java class constructors that enable the deserialization of arbitrary objects. This file is then embedded within a ZIP file and sent to the Spring Cloud Skipper server via an HTTP POST request targeting the REST API. The ZIP file must contain a package.yaml file, which is unpacked and processed by the vulnerable yaml.load() method (Figure 2). Once deserialized, the malicious code is executed, granting the attacker remote control over the system and enabling arbitrary code execution.

  1. Craft a Malicious YAML File: Create a YAML file with specific Java class constructors like !!javax.script.ScriptEngineManager to exploit deserialization.
  2. Send a Malicious HTTP POST Request: Upload the crafted YAML through an HTTP POST request to the Skipper server’s REST API.
  3. ZIP File Structure: Ensure the ZIP file contains a package.yaml file with the malicious content for deserialization.
  4. Execute Arbitrary Code: Upon processing the package.yaml, arbitrary code execution is triggered, allowing control over the system.

Exploitation

Exploitation of CVE-2024-37084 involves not only triggering the vulnerability but carefully executing a series of steps to manipulate the behavior of the Spring Cloud Skipper server. Once the attacker crafts a malicious YAML payload, they embed it within a package.yaml file and package it in a ZIP file. To evade detection by IPS/IDS systems and web application firewalls, the payload is often Base64-encoded or converted into a byte array before being sent. The attacker targets the vulnerable /api/package/upload endpoint using an HTTP POST request (Figure 3) with a carefully formatted UploadRequest JSON object to ensure the server processes the payload without raising validation errors.

Figure 3: Post Request

Once the server receives and unpacks the ZIP file, it deserializes the YAML using the insecure yaml.load() method. If the YAML contains malicious code, such as references to external resources or a remote JAR file, the server will execute this code, leading to remote code execution (RCE). For instance, the attacker may use classes like javax.script.ScriptEngineManager to execute arbitrary code or java.net.URLClassLoader to load external libraries from a controlled server. Instructions for creating a malicious JAR file, which can be used to execute arbitrary code on the target server, are available here. The attacker can compile their Java code and host the JAR file on a web server, allowing the Spring Cloud Skipper server to retrieve and execute it upon deserialization. Monitoring server behavior, such as HTTP GET requests to the malicious resource, confirms the presence and exploitation of the vulnerability.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20414 Spring Cloud Data Flow Insecure Deserialization 1
  • IPS: 20415 Spring Cloud Data Flow Insecure Deserialization 2
  • IPS: 20416 Spring Cloud Data Flow Insecure Deserialization 3

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Restricting API Access: Limit API access to only trusted users or systems.
  • Utilizing Up-to-Date IPS Signatures: Keep IPS signatures updated to block known threats.
  • Limiting Access to Critical Systems: Only allow trusted users access to key systems.
  • Regularly Updating and Patching Systems: Ensure all systems are regularly updated and patched.

Relevant Links

Spring Security Advisory

National Vulnerability Database (NVD)

Common Vulnerability Scoring System Calculation

CWE-94: Improper Control of Generation of Code (‘Code Injection’)

Spring Cloud Data Flow

Share This Article

An Article By

Jordan Riddles

Junior Copywriter
Jordan Riddles is a Junior Copywriter for SonicWall. He has a background in content creation and editing, and he lives in Tulsa, Oklahoma. Jordan is a graduate of Northeastern State University in Tahlequah, Oklahoma, with a focus in English and creative writing. In his spare time, he loves reading, cooking and disc golfing.