Advisory ID: MOR20220721-01
CVSSv3 Range: 9.8
Issue Date: 07-21-2022
Updated On: 07-21-2022
Synopsis: In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Impacted Product Versions¶
Morpheus through 5.4.3 (which run Java 8) are confirmed to be impacted, Morpheus through 5.5.1-1 (for customers on 5.5.x Standard installations) and 5.4.8-2 (for customers on 5.4.x LTS installations) are potentially impacted if the vulnerability is found on Java 11.
Description: Morpheus v5.5.1-2, v5.5.1-3 and v5.4.8-2 are now available in response to CVE-3022-35912, a Grails Framework remote code execution vulnerability. Morpheus v5.5.1-2, v5.5.1-3 and v5.4.8-2 include the Grails v5.1.9 update that mitigates CVE-3022-35912. At this time, the CVE-3022-35912 vulnerability is only confirmed for Grails frameworks running on Java 8. Morpheus versions v5.4.4 and higher use Java 11. Appliances running v5.4.3 or earlier are highly advised to be upgraded to v5.4.4 or higher, and out of an abundance of caution we recommend all customers upgrade all Morpheus Appliances to v5.5.1-3 or v5.4.8-2 in the event the vulnerability is found to be exploitable on Java 11.
Resolution: Upgrade Morpheus appliance at least to version 5.4.4 or higher (which all use Java 11), however, out of an abundance of caution, we recommend customers upgrade to Morpheus 5.5.1-3+ (Standard) or 5.4.8-2+ (LTS) in case the vulnerability is found to be exploitable in Java 11.