Vulnerability Update - Grails Framework (CVE-2022-35912)
Background
One of our third-party framework providers, Grails, has recently reported a critical vulnerability (CVE-2022-35912) in one of their frameworks, which impacts a small number of versions of our dashboard. The issue is only present in versions of the dashboard that utilise the Grails 3 framework, which we only recently upgraded to from April 22.
Events
To help keep customers informed of our latest responses to this vulnerability, we have created an events table below. In response to the vulnerability, we have decided to patch our July release, which now includes an updated Grails framework (3.3.15) which resolves the issue.
Date | Event |
|---|---|
Jul 25, 2022 | Internal testing commenced on vulnerability fix |
Jul 27, 2022 | Patch release made available for partners to download |
Recommendations
If you are working with a version of the dashboard prior to the April 22 release (2022_04_28, .1 or .2), you will not be impacted by this vulnerability, as it does not exist in the earlier version of the Grails framework.
If you did take a version of our April 22 releases, or the more recent July 22 release (pi.2022_06_30), we strongly recommend that you upgrade to the patch release to take advantage of the security enhancement provided. We always encourage partners to upgrade to the latest version of the dashboard, to benefit from the very latest security fixes and features from both our software and our third-party providers.
Release Availability
The new July patch release (pi.2022_06_30.1) is available now, and can be downloaded from the Download Site and from our DockerHub repository. Our AWS Marketplace image will be updated over the next couple of days, once they have verified the images on their side, should you make use of that version.
NEWS: We are pleased to share that our March 24 dashboard release is now available to download, see HERE for more details