Our “First Seen URL” page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. The scans originate from %%ip:188.8.131.52%% and have been going on for a few days already, but our first-seen list doesn’t display them until they hit a threshold to consider the scans significant. We also see scans from a couple of our IPs, but at a much lower level.
A typical complete request from 184.108.40.206:
GET /actuator/gateway/routes HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to %%CVE:2022-22947%% or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). This vulnerability was patched at the beginning of March , and exploits are available. The actual exploit would include a JSON formated payload with the actual command to be executed. A simple code injection vulnerability, exploitation is trivial. But to be vulnerable, a system needs to use the Spring Cloud functions, which are not as popular as the basic Spring Core library vulnerable to Spring4Shell (cve-2022-22965).
The same source also scans for various vulnerabilities, indicating that this test was added to a bot used to compromise multiple sites. Here is a partial list of other vulnerabilities scanned by this source:
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.