Is anyone working on BigFix detection methods for CVE-2022-35912?
I did a quick lookup in the forum and bigfix.me and it seems like there is nothing to identify installation of Grails. BigFix inventory doesn’t return results either.
This is supposed to be a critical vulnerability and our infosec team is following closely.
I’m just beginning to look at it. I think I can reuse the template I published for scanning for spring-boot-framework to scan for these files instead so I should be able to post something pretty quickly.
That said, I don’t actually have any Grails instances with easy access for me to scan - do you have any known-vulnerable systems on which you’d be willing to test a prerelease scan & analysis?
I was able to build these based on the previous Spring Framework detections I had at bigfix.me. Please give these a try (on TEST systems) and let me know how they work out for you. I only have limited test cases, but on my Win10 and CentOS systems I’m detecting the grails-databinding-X.jar files on the filesystem and embedded in WAR archives.
These report all the grails-databinding JAR files that are found - the lesson I learned from Log4j is to not assume today’s version is still going to be a “good” version tomorrow, so I just report all the versions found for now.
Hello Jason,
I was able to successfully execute the Fixlets and get results from the analysis. We haven’t deployed this in mass, but once we get a request from our infosec team we will expand our testing to multiple environments.