Grails Framework Remote Code Execution Vulnerability
July 18, 2022
Grails Framework information regarding CVE-2022-35912
Updates
July 20th, 2022
Updated impacted Grails framework versions.
Overview
The Grails team has confirmed a critical security vulnerability reported by meizjm3i and codeplutos of AntGroup FG Security Lab. This vulnerability has been assigned identifier CVE-2022-35912.
The vulnerability allows an attacker to remotely execute code within a Grails application runtime by issuing a specially crafted web request that grants the attacker access to the class loader. This attack exploits a section of the Grails data-binding logic. Grails data-binding is invoked in a number of ways including the creation of command objects, domain class construction, and manual data binding when using bindData. For a full description, please refer to the data-binding documentation.
Impacted Applications
- Grails framework versions
- >= 3.3.10 & < 3.3.15
- >= 4.0.0 & < 4.1.1
- >= 5.0.0 & < 5.1.9
- 5.2.0
- Running on Java 8
- Using embedded Tomcat runtime, as well as those deployed to a Servlet Container
We have confirmed this vulnerability on Grails framework versions 3.3.10 and higher (including Grails framework 4 and 5) that are running on Java 8. The vulnerability has been observed in both the embedded Tomcat runtime and applications deployed as a war to a Tomcat instance.
Due to the nature of this vulnerability, we strongly suggest that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release. While we have not been able to reproduce this specific exploit on applications running in Java 11 or in versions of the Grails framework before 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, and Grails applications running on higher versions of Java, will be impacted.
Protecting Your Applications
The following Grails framework versions have been patched for this vulnerability:
- 5.2.1
- 5.1.9
- 4.1.1
- 3.3.15
The best way to protect your Grails applications is to upgrade to a patched release of the framework.
Grails 4.x applications can be upgraded to version 4.1.1 or higher, and Grails 5.0.x and 5.1.x applications can be upgraded to 5.1.9 or higher, and Grails 5.2 applications can be upgraded to 5.2.1 or higher.
Protecting Grails 3 Applications
For Grails 3 applications, we have released Grails framework 3.3.15, which includes a patch for this vulnerability (please note that Grails framework version 3 has reached end of support, and we strongly recommend that all Grails 3 applications be upgraded to an actively maintained version of the framework).
Protecting Grails 2 Applications
As mentioned above, this specific attack is enabled by code added in version 3.3.10 of the Grails framework, so Grails framework version 2 applications are not vulnerable to it. Due to the nature of the exploit, we strongly suggest that you upgrade your Grails applications to a patched and supported version of the framework. Grails framework version 2 has reached end of support.
Next Steps
The Grails Foundation and the Grails core development team take application security very seriously. We are continuing to research and monitor this vulnerability and will update this post with new information as it is discovered.