Vulnerability Update - Grails Framework

Background

One of our third-party framework providers, Grails, has recently reported a critical vulnerability (CVE-2022-35912) in one of their frameworks, which impacts a small number of versions of our dashboard. The issue is only present in versions of the dashboard that utilise the Grails 3 framework, which we only recently upgraded to from April 22.

Events

To help keep customers informed of our latest responses to this vulnerability, we have created an events table below. In response to the vulnerability, we have decided to patch our July release, which now includes an updated Grails framework (3.3.15) which resolves the issue.

Date

Event

Date

Event

Jul 25, 2022

Internal testing commenced on vulnerability fix

Jul 27, 2022

Patch release made available for partners to download

Recommendations

If you are working with a version of the dashboard prior to the April 22 release (2022_04_28, .1 or .2), you will not be impacted by this vulnerability, as it does not exist in the earlier version of the Grails framework.

If you did take a version of our April 22 releases, or the more recent July 22 release (pi.2022_06_30), we strongly recommend that you upgrade to the patch release to take advantage of the security enhancement provided. We always encourage partners to upgrade to the latest version of the dashboard, to benefit from the very latest security fixes and features from both our software and our third-party providers.

Release Availability

The new July patch release (pi.2022_06_30.1) is available now, and can be downloaded from the Download Site and from our DockerHub repository. Our AWS Marketplace image will be updated over the next couple of days, once they have verified the images on their side, should you make use of that version.