CVE-2022-35912: Grails Data Binding RCE Vulnerability

CVE-2022-35912 Overview

CVE-2022-35912 is a critical remote code execution vulnerability affecting the grails-databinding component in multiple versions of the Grails framework. This vulnerability allows remote attackers to execute arbitrary code by exploiting the data binding mechanism to gain access to the Java class loader. The flaw is particularly dangerous when certain Java 8 configurations are in use, enabling attackers to manipulate the class loader through crafted HTTP requests.

Critical Impact
Remote attackers can achieve full system compromise through arbitrary code execution by exploiting the data binding mechanism to access the class loader, potentially leading to complete takeover of affected Grails applications.

Affected Products

Grails versions before 3.3.15
Grails 4.x versions before 4.1.1
Grails 5.x versions before 5.1.9
Grails 5.2.x versions before 5.2.1

Discovery Timeline

2022-07-19 - CVE-2022-35912 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-35912

Vulnerability Analysis

The vulnerability resides in the grails-databinding component, which is responsible for binding HTTP request parameters to domain objects and command objects in Grails applications. The core issue is that the data binding mechanism does not properly restrict access to sensitive properties, allowing attackers to manipulate the class loader through specially crafted request parameters.

When processing HTTP requests, Grails' data binding automatically maps request parameters to object properties. However, insufficient restrictions on which properties can be bound allows attackers to traverse the object graph and reach the class loader. Once an attacker gains access to the class loader, they can load and instantiate arbitrary classes, ultimately achieving remote code execution on the server.

This vulnerability shares similarities with the infamous Spring4Shell (CVE-2022-22965) vulnerability, which also exploited class loader access through data binding mechanisms in Java web frameworks.

Root Cause

The root cause of this vulnerability is improper access control in the grails-databinding component. The data binding mechanism fails to adequately block access to dangerous properties that can lead to class loader manipulation. When certain Java 8 configurations are used, the attack path through the class loader becomes accessible, allowing parameter binding to reach security-sensitive objects that should never be exposed through user-controlled input.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to a vulnerable Grails application. The malicious parameters are designed to traverse the object hierarchy and access the class loader through the data binding mechanism.

The exploitation process involves:

Identifying a Grails endpoint that performs data binding on user-supplied parameters
Crafting request parameters that navigate through the object graph to reach the class loader
Using class loader access to load malicious classes or modify application behavior
Executing arbitrary code on the target server

For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory and the Grails Blog RCE Vulnerability Disclosure.

Detection Methods for CVE-2022-35912

Indicators of Compromise

Unusual HTTP request parameters containing class loader references (e.g., class.module.classLoader)
Web application logs showing unexpected parameter binding errors or class loading attempts
Unexpected processes spawned by the Grails application server
Suspicious modifications to application files or configurations
Network connections initiated from the application server to unexpected external hosts

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing class loader manipulation patterns
Monitor application logs for data binding errors involving restricted properties like class, classLoader, or module
Deploy runtime application self-protection (RASP) solutions to detect class loader access attempts
Analyze HTTP traffic for parameter patterns commonly associated with class loader exploitation

Monitoring Recommendations

Enable verbose logging for the grails-databinding component to capture parameter binding activity
Configure alerting for application server process spawning or unusual system calls
Implement network monitoring to detect outbound connections from application servers to suspicious destinations
Establish baseline behavior for Grails applications and alert on deviations

How to Mitigate CVE-2022-35912

Immediate Actions Required

Immediately upgrade Grails to a patched version: 3.3.15+, 4.1.1+, 5.1.9+, or 5.2.1+
Review application logs for any signs of exploitation attempts
Implement WAF rules to block requests containing class loader manipulation patterns
Consider temporarily disabling affected endpoints until patches can be applied
Audit all Grails applications in your environment for vulnerable versions

Patch Information

The Grails team has released security patches addressing this vulnerability across all affected version branches. Organizations should upgrade to the following minimum versions:

Grails 3.x: Upgrade to version 3.3.15 or later
Grails 4.x: Upgrade to version 4.1.1 or later
Grails 5.0.x/5.1.x: Upgrade to version 5.1.9 or later
Grails 5.2.x: Upgrade to version 5.2.1 or later

Detailed patch information is available in the GitHub Issue Report and the Grails Blog Security Advisory.

Workarounds

Implement a servlet filter or interceptor to strip dangerous parameter names before they reach the data binding mechanism
Configure explicit allow-lists for bindable properties in domain classes and command objects using bindable: false constraints
Deploy a web application firewall (WAF) with rules to block requests containing patterns like class.module.classLoader
Use network segmentation to limit the impact of potential compromise by restricting outbound connections from application servers

bash

# Example: Grails domain class with restricted binding
# In your domain class, explicitly mark dangerous properties as non-bindable:
# static constraints = {
#     class bindable: false
#     metaClass bindable: false
# }

# Verify Grails version after upgrade
grails --version
# Expected output should show 3.3.15+, 4.1.1+, 5.1.9+, or 5.2.1+

CVE-2022-35912 Overview

Critical Impact
Remote attackers can achieve full system compromise through arbitrary code execution by exploiting the data binding mechanism to access the class loader, potentially leading to complete takeover of affected Grails applications.

Affected Products

Grails versions before 3.3.15
Grails 4.x versions before 4.1.1
Grails 5.x versions before 5.1.9
Grails 5.2.x versions before 5.2.1

Discovery Timeline

2022-07-19 - CVE-2022-35912 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-35912

Vulnerability Analysis

This vulnerability shares similarities with the infamous Spring4Shell (CVE-2022-22965) vulnerability, which also exploited class loader access through data binding mechanisms in Java web frameworks.

Root Cause

Attack Vector

The exploitation process involves:

Identifying a Grails endpoint that performs data binding on user-supplied parameters
Crafting request parameters that navigate through the object graph to reach the class loader
Using class loader access to load malicious classes or modify application behavior
Executing arbitrary code on the target server

For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory and the Grails Blog RCE Vulnerability Disclosure.

Detection Methods for CVE-2022-35912

Indicators of Compromise

Unusual HTTP request parameters containing class loader references (e.g., class.module.classLoader)
Web application logs showing unexpected parameter binding errors or class loading attempts
Unexpected processes spawned by the Grails application server
Suspicious modifications to application files or configurations
Network connections initiated from the application server to unexpected external hosts

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing class loader manipulation patterns
Monitor application logs for data binding errors involving restricted properties like class, classLoader, or module
Deploy runtime application self-protection (RASP) solutions to detect class loader access attempts
Analyze HTTP traffic for parameter patterns commonly associated with class loader exploitation

Monitoring Recommendations

Enable verbose logging for the grails-databinding component to capture parameter binding activity
Configure alerting for application server process spawning or unusual system calls
Implement network monitoring to detect outbound connections from application servers to suspicious destinations
Establish baseline behavior for Grails applications and alert on deviations

How to Mitigate CVE-2022-35912

Immediate Actions Required

Immediately upgrade Grails to a patched version: 3.3.15+, 4.1.1+, 5.1.9+, or 5.2.1+
Review application logs for any signs of exploitation attempts
Implement WAF rules to block requests containing class loader manipulation patterns
Consider temporarily disabling affected endpoints until patches can be applied
Audit all Grails applications in your environment for vulnerable versions

Patch Information

The Grails team has released security patches addressing this vulnerability across all affected version branches. Organizations should upgrade to the following minimum versions:

Grails 3.x: Upgrade to version 3.3.15 or later
Grails 4.x: Upgrade to version 4.1.1 or later
Grails 5.0.x/5.1.x: Upgrade to version 5.1.9 or later
Grails 5.2.x: Upgrade to version 5.2.1 or later

Detailed patch information is available in the GitHub Issue Report and the Grails Blog Security Advisory.

Workarounds

Implement a servlet filter or interceptor to strip dangerous parameter names before they reach the data binding mechanism
Configure explicit allow-lists for bindable properties in domain classes and command objects using bindable: false constraints
Deploy a web application firewall (WAF) with rules to block requests containing patterns like class.module.classLoader
Use network segmentation to limit the impact of potential compromise by restricting outbound connections from application servers

bash

# Example: Grails domain class with restricted binding
# In your domain class, explicitly mark dangerous properties as non-bindable:
# static constraints = {
#     class bindable: false
#     metaClass bindable: false
# }

# Verify Grails version after upgrade
grails --version
# Expected output should show 3.3.15+, 4.1.1+, 5.1.9+, or 5.2.1+

CVE-2022-35912: Grails Data Binding RCE Vulnerability

CVE-2022-35912 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35912

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35912

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35912

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-35912: Grails Data Binding RCE Vulnerability

CVE-2022-35912 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-35912

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-35912

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-35912

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform