===================================================================== CERT-Renater Note d'Information No. 2022/VULN296 _____________________________________________________________________ DATE : 30/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Grails versions prior to 5.2.1, 5.1.9, 4.1.1, 3.3.15. ===================================================================== https://grails.org/blog/2022-07-18-rce-vulnerability.html _____________________________________________________________________ Grails Framework Remote Code Execution Vulnerability By Puneet Behl and Jason Schindler July 18, 2022 Grails Framework information regarding CVE-2022-35912 Updates July 20th, 2022 Updated impacted Grails framework versions. Overview The Grails team has confirmed a critical security vulnerability reported by meizjm3i and codeplutos of AntGroup FG Security Lab. This vulnerability has been assigned identifier CVE-2022-35912. The vulnerability allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader. This attack exploits a section of the Grails data-binding logic. Grails data-binding is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData. For a full description, please refer to the data-binding documentation. Impacted Applications Grails framework versions >= 3.3.10 & < 3.3.15 >= 4.0.0 & < 4.1.1 >= 5.0.0 & < 5.1.9 5.2.0 Running on Java 8 Using embedded Tomcat runtime, as well as those deployed to a Servlet Container We have confirmed this vulnerability on Grails framework versions 3.3.10 and higher (including Grails framework 4 and 5) that are running on Java 8. The vulnerability has been observed in both the embedded Tomcat runtime and applications deployed as a war to a Tomcat instance. Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release. While we have not been able to reproduce this specific exploit on applications running in Java 11 or in versions of the Grails framework before 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, and Grails applications running on higher versions of Java, will be impacted. Protecting Your Applications The following Grails framework versions have been patched for this vulnerability: 5.2.1 5.1.9 4.1.1 3.3.15 The best way to protect your Grails applications is to upgrade to a patched release of the framework. Grails 4.x applications can be upgraded to version 4.1.1 or higher, and Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgraded to 5.2.1 or higher. Protecting Grails 3 Applications For Grails 3 applications, we have released Grails framework 3.3.15, which includes a patch for this vulnerability (please note that Grails framework version 3 has reached end of support, and we strongly recommend that all Grails 3 applications be upgraded to an actively maintained version of the framework). Protecting Grails 2 Applications As mentioned above, this specific attack is enabled by code added in version 3.3.10 of the Grails framework, so Grails framework version 2 applications are not vulnerable to it. Due to the nature of the exploit, we strongly suggest that you upgrade your Grails applications to a patched and supported version of the framework. Grails framework version 2 has reached end of support. Next Steps The Grails Foundation and the Grails core development team take application security very seriously. We are continuing to research and monitor this vulnerability and will update this post with new information as it is discovered. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================