Is anyone working on BigFix detection methods for CVE-2022-35912?
I did a quick lookup in the forum and bigfix.me and it seems like there is nothing to identify installation of Grails. BigFix inventory doesn’t return results either.
This is supposed to be a critical vulnerability and our infosec team is following closely.
More details - https://grails.org/blog/2022-07-18-rce-vulnerability.html
I’m just beginning to look at it. I think I can reuse the template I published for scanning for spring-boot-framework to scan for these files instead so I should be able to post something pretty quickly.
That said, I don’t actually have any Grails instances with easy access for me to scan - do you have any known-vulnerable systems on which you’d be willing to test a prerelease scan & analysis?
I could get a system to run the scan
I was able to build these based on the previous Spring Framework detections I had at bigfix.me. Please give these a try (on TEST systems) and let me know how they work out for you. I only have limited test cases, but on my Win10 and CentOS systems I’m detecting the grails-databinding-X.jar files on the filesystem and embedded in WAR archives.
Scan for Linux: https://bigfix.me/cdb/fixlet/26942
Scan for Windows: https://bigfix.me/cdb/fixlet/26943
Analysis for Results:
https://bigfix.me/analysis/details/2998675
These report all the grails-databinding JAR files that are found - the lesson I learned from Log4j is to not assume today’s version is still going to be a “good” version tomorrow, so I just report all the versions found for now.
As of today, the versions per Grails® framework RCE via Data Binding · Advisory · grails/grails-core · GitHub are
Affected versions
3.x, <=4.1.0, <=5.1.9, <=5.2.1Patched versions
5.2.1, 5.1.9, 4.1.1, 3.3.15
I’m reaching out internally to test this out. Once I get results I will update you.
Looks like the link for the analysis is pointing to the analysis for the Spring framework
Apologies, too many tabs open…fixed the post above.
Hello Jason,
I was able to successfully execute the Fixlets and get results from the analysis. We haven’t deployed this in mass, but once we get a request from our infosec team we will expand our testing to multiple environments.