Workaround for CVE-2022-41923: Privilege Management Vulnerability

Summary

The vulnerability CVE-2022-41923 found in the unpatched Grails Spring Security Core (GSSC) plugin can result in improper privilege management. This repository describes how to work around the issue.

If you are using an unpatched version of the plugin, we recommend highly that you upgrade to a patched version. If you are unable to upgrade immediately, we encourage you to implement the workaround described in this document. This is especially important if you are using GSSC plugin version 2.x, as no patch is available for version 2.x.

Preparation

In order to correctly configure the workaround, you need to know:

• The version of the GSSC plugin your application employs. Look for the version number in your build.gradle file. (For Grails 2.x, look in the BuildConfig.groovy file).

• What security configuration type you are using: that is, the configuration value for grails.plugin.springsecurity.securityConfigType

Note: In all the instructions and configuration below, the demo package is used. Change this package appropriately for your application and the location you place the patched source files.

Workaround for GSSC Plugin (versions 3.x - 5.x)

Determine the workaround class you need based on your security configuration type.

Copy the corresponding source file into your src/main/groovy source tree.

Finally, add the following configuration to your application.groovy config file, replacing PatchedAnnotationFilterInvocationDefinition with the needed workaround class.

grails.plugin.springsecurity.objectDefinitionSourceBeanClass = 'demo.PatchedAnnotationFilterInvocationDefinition'

Workaround for GSSC Plugin (version 2.x)

As above, determine the workaround class you need based on your security configuration type. Copy the corresponding source file into your src/groovy source tree. Then edit your bean configuration based on your application's security configuration type.

Security Config Type: Annotation

If using security configuration type Annotation, edit the grails-app/conf/spring/resources.groovy to include:

import demo.PatchedAnnotationFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedAnnotationFilterInvocationDefinition) {
        application = ref('grailsApplication')
        grailsUrlConverter = ref('grailsUrlConverter')
        responseMimeTypesApi = ref('responseMimeTypesApi')
        boolean lowercase = conf.controllerAnnotations.lowercase
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}

Security Config Type: Static Map

If using security configuration type InterceptUrlMap, edit the grails-app/conf/spring/resources.groovy to include:

import demo.PatchedInterceptUrlMapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedInterceptUrlMapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}

Security Config Type: Requestmap Instances

If using security configuration type Requestmap, edit the grails-app/conf/spring/resources.groovy to include:

import demo.PatchedRequestmapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedRequestmapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}

More Information

For additional information on this vulnerability, please see the Grails blog post.

Discussion and questions can be directed to this Grails Spring Security Core plugin issue on GitHub.