Possible Grails® MITM Vulnerability
May 30, 2019
Introduction
In the Grails® framework, we have been using Travis to automatically release new versions.
Some time ago, a user opened an issue detailing a possible MITM (Man in the Middle) attack because we were using a non-secured repository as part of the build process.
Our Analysis
The HTTP repository mentioned before was only used to resolve SDKMan notification service and not for any project dependencies. All project dependencies were resolved with HTTPS.
We have conducted an audit of the latest versions of the Grails 3.1.x, 3.2.x, 3.3.x, and 4.x lines, and we have verified that their contents have not been manipulated.
We undertook the same process as the Groovy team and diffed all jars and executable content. There were 6 differences in the generated byte code, which we isolated to an issue in the Groovy compiler, which was simply changing the order of the byte code output – not the byte code itself.
In addition, we have released Grails 3.3.10, which includes the applied patch, as well as a version of Groovy that also has the patch applied.
Assuring This Won't Happen Again
We have added a check that will make the build fail if any repository is not secure. You can get more information on this solution here.
Steps for Users
No action is necessary. The issue was specifically related to the build of the framework itself and not applications built with it. If there were an issue, it would have been introduced in the build of the Grails framework (not your Grails apps), and we have verified that Grails code itself was not compromised. Thus, users do not need to verify their own apps because they weren’t resolving dependencies over HTTP. However, in case of doubt, you can upgrade to Grails 3.3.10, which includes the applied patch.