The open-source web app framework’s maintainers advise patching all versions, even those that are not thought to be susceptible.

A significant security flaw has been identified by AntGroup FG Security Lab researchers that enables remote code execution within Grail’s application runtimes.

Agile online applications are created using the open-source Grail’s framework, which is based on the Apache Groovy programming language. Google, IBM, Walmart, Credit Suisse, and Mastercard are a few of our clients.

An attacker can exploit the weakness, which is catalogued as CVE-2022-35912, by sending a specially crafted web request that gives the attacker access to the class loader and allows the attacker to remotely execute code within a Grails application runtime.

The assault makes use of Grails’ data-binding logic, which is activated in a number of methods, including the creation of command objects, the development of domain classes, and manually using bindData to bind data.

The flaw has been identified in Java 8-based Grail’s framework versions 3.3.10 and higher, including Grail’s frameworks 4 and 5. It has been noticed in both apps installed as Web Archive (WAR) files into a Tomcat instance and the integrated Tomcat runtime.

The Grails team stated in a blog post that “given the nature of this vulnerability, we highly urge that all Grails applications, including those that are not vulnerable to this specific attack, be updated to a patched Grails release.”

 “While we have not been able to replicate this specific exploit on applications running in Java 11 or in versions of the Grails framework prior to 3.3.10, the nature of the vulnerability is such that variations on the attack could be discovered that earlier Grails releases, as well as Grail’s applications running on higher versions of Java, will be impacted,” the report states.

Patches available

The team suggests updating to a patched version of versions 5.2.1, 5.1.9, 4.1.1, and 3.3.15 because those versions have recently received updates. Applications built with Grails 4.x can be updated to version 4.1.1 or higher, those built with Grails 5.0.x and 5.1.x can be updated to version 5.1.9 or higher, and those built with Grails 5.2 can be updated to version 5.2.1 or better. The core development team of Grails stated, “The Grails Foundation and the Grails core development team take application security very seriously. “We are still looking into and keeping an eye on this vulnerability.”