Are Spring Framework cluster security vulnerabilities applicable to Grails
Several vulnerabilities applicable to Spring Framework for versions are included in my Grails deployments. Are they also vulnerabilities in Grails (v2.2.5 which contains Spring 3.1.4)? Vulnerabilities listed here
refer to for example Spring v 3.0.0 to 3.2.8, which includes 3.1.4, but Grails 2.2.5 is the latest version 2.2.x.
How do I know if these CVEs apply to my version of Grails?
source to share
The Spring, Grails and Groovy teams have been part of the same company since 2008, when SpringSource (sadly no longer an entity) bought G2One, continuing to buy SpringSource from VMware, and disbanding SpringSource into Pivotal when it was formed from teams from EMC and VMware ... They work together, and of course, the Spring team notifies the Grails team when vulnerabilities appear.
The problems on the page you linked to are either not problems in Grails, or are old enough that any recent version of Grails uses a version of Spring that has a fix for the problem. In particular, CVE-2014-1904 deals with web / servlet / tags / form / FormTag.java, but while JSP tags are supported in Grails, they are rarely used as GSP tags and their applications are much more convenient. CVE-2014-0054, CVE-2013-7315, and CVE-2013-4152 refer to StAX / OXM / JAXB / XXE - a few XML-based acronyms that have no direct support in Grails, and as far as I know are not (or a little, if any) plugin support. CVE-2013-6429 discusses SourceHttpMessageConverter, which doesn't seem to be used directly, but is potentially usedRestTemplate
and therefore potentially with the rest-client-builder plugin.
But if these were problems, the Grails team would be notified and the issues would be addressed. This has happened several times in the past, for example. http://support.springsource.com/security/cve-2012-1833 . Also reported issues with Grails using the same mechanism, eg. http://www.pivotal.io/security/cve-2014-0053
source to share