CVE-2022-35912 – CVE-2022-35912 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2022-35912?

CVE-2022-35912 has a CVSS score of 9.8 (CRITICAL). CVE-2022-35912 is a critical remote code execution vulnerability in Grails' data binding component that allows attackers to gain access to the class loader and execute arbitrary code. This affects Grails applications running vulnerable versions when certain Java 8 configurations are used. Organizations using Grails for web applications are at risk of complete system compromise.

📋 TL;DR

CVE-2022-35912 is a critical remote code execution vulnerability in Grails' data binding component that allows attackers to gain access to the class loader and execute arbitrary code. This affects Grails applications running vulnerable versions when certain Java 8 configurations are used. Organizations using Grails for web applications are at risk of complete system compromise.

💻 Affected Systems

Products:

Grails Framework

Versions: Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1

Operating Systems: All operating systems running Grails

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present when certain Java 8 configurations are used. The exact configurations aren't specified but appear to be common setups.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to application compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential application-level compromise.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication on internet-facing applications.

🏢 Internal Only: HIGH - Internal applications remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the data binding component which is commonly used in web applications, making exploitation straightforward for attackers with knowledge of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Grails 3.3.15, 4.1.1, 5.1.9, or 5.2.1

Vendor Advisory: https://grails.org/blog/2022-07-18-rce-vulnerability.html

Restart Required: Yes

Instructions:

1. Identify Grails version. 2. Update to patched version: 3.3.15, 4.1.1, 5.1.9, or 5.2.1. 3. Update dependencies in build.gradle or pom.xml. 4. Rebuild and redeploy application. 5. Restart application server.

🔧 Temporary Workarounds

Disable automatic data binding

all

Configure Grails to disable automatic data binding for untrusted input sources

grails.databinding.enabled = false
grails.databinding.useSpringBinder = true

Input validation and sanitization

all

Implement strict input validation and use whitelisting for data binding

// In controller: def save = { MyDomain obj -> obj.properties = params.subMap(['allowedField1', 'allowedField2'])}

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to vulnerable applications
Deploy web application firewall (WAF) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Grails version in application.properties or build.gradle. If version is before 3.3.15, 4.1.1, 5.1.9, or 5.2.1, the application is vulnerable.

Check Version:

grep 'app.grails.version' application.properties or check build.gradle dependencies

Verify Fix Applied:

Verify Grails version is 3.3.15, 4.1.1, 5.1.9, or 5.2.1 or higher. Test data binding functionality to ensure it works without allowing class loader access.

📡 Detection & Monitoring

Log Indicators:

Unusual class loading patterns
Suspicious data binding operations
Unexpected Java reflection calls
ClassLoader manipulation attempts

Network Indicators:

HTTP requests with unusual parameter patterns attempting class loader access
Exploitation attempts targeting /grails-databinding endpoints

SIEM Query:

source="application.log" AND ("ClassLoader" OR "data binding" OR "grails.databinding") AND (error OR exception OR suspicious)

📊 Metadata

CVE ID: CVE-2022-35912

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: July 19, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/07/20/4 Mailing List,Third Party Advisory
https://github.com/grails/grails-core/issues/12626 Issue Tracking,Patch,Third Party Advisory
https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97 Third Party Advisory
https://grails.org/blog/2022-07-18-rce-vulnerability.html Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/4 Mailing List,Third Party Advisory
https://github.com/grails/grails-core/issues/12626 Issue Tracking,Patch,Third Party Advisory
https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97 Third Party Advisory
https://grails.org/blog/2022-07-18-rce-vulnerability.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Grails by Grails

Grails by Grails

Grails by Grails

Grails by Grails

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable automatic data binding

Input validation and sanitization

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export