CVE-2023-46131 Discussion

[mattmoss]

A vulnerability in the Grails® framework has been identified and patched. For details, please see the blog post announcing the vulnerability and the published security advisory.

If you use a vulnerable version of the Grails® framework, upgrading to a patched version is highly recommended.

This thread has been opened to facilitate discussion about CVE-2023-46131. If you have any comments or questions, please add them below.

[jdaugherty]

Snakeyaml is also being updated as part of the Grails 5.3.5 release and this in turn causes a substantial amount of plugin versions to mismatch / need upgrading. Specifically, snakeyaml 2.0 is incompatible with certain older versions of jackson. Was the snakeyaml change needed for the binding fix?

It looks like #13239 was the pull request that applied the fix to grails 5.3.x. Can this be confirmed as the actual fix?

[mattmoss]

That pull request was part of the 5.3.4 release, which did include the patch for CVE-2023-46131 but also created the plugin issue. Release 5.3.5 should resolve the plugin issue.

[jglapa]

After the upgrade from 3.3.15 to 3.3.17 we encountered a problem with startup of our app in tomcat8.
I see that snakeyaml-2.2.jar is properly bundled with the war, still this is being thrown upon startup.
Any ideas what could that be?

Caused by: java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.Constructor: method <init>()V not found
        at org.springframework.beans.factory.config.YamlProcessor$StrictMapAppenderConstructor.<init>(YamlProcessor.java:398)
        at org.springframework.beans.factory.config.YamlProcessor.createYaml(YamlProcessor.java:146)
        at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:133)
        at org.grails.config.yaml.YamlPropertySourceLoader.load(YamlPropertySourceLoader.groovy:84)
        at org.grails.plugins.AbstractGrailsPlugin.<init>(AbstractGrailsPlugin.java:93)
        at org.grails.plugins.DefaultGrailsPlugin.<init>(DefaultGrailsPlugin.java:115)
        at org.grails.plugins.DefaultGrailsPlugin.<init>(DefaultGrailsPlugin.java:320)
        at org.grails.plugins.BinaryGrailsPlugin.<init>(BinaryGrailsPlugin.java:73)
        at grails.plugins.DefaultGrailsPluginManager.createBinaryGrailsPlugin(DefaultGrailsPluginManager.java:449)
        at grails.plugins.DefaultGrailsPluginManager.findCorePlugins(DefaultGrailsPluginManager.java:358)
        at grails.plugins.DefaultGrailsPluginManager.attemptLoadPlugins(DefaultGrailsPluginManager.java:311)
        at grails.plugins.DefaultGrailsPluginManager.loadPlugins(DefaultGrailsPluginManager.java:221)
        at grails.boot.config.GrailsApplicationPostProcessor.initializeGrailsApplication(GrailsApplicationPostProcessor.groovy:90)
        at grails.boot.config.GrailsApplicationPostProcessor.setApplicationContext(GrailsApplicationPostProcessor.groovy:225)
        at grails.boot.config.GrailsApplicationPostProcessor.<init>(GrailsApplicationPostProcessor.groovy:78)
        at grails.boot.config.GrailsAutoConfiguration.grailsApplicationPostProcessor(GrailsAutoConfiguration.groovy:68)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)
        ... 33 more

Problem goes away after downgrade, not sure about any side effects but so far good :

   compile 'org.yaml:snakeyaml:1.33'

[mattmoss]

@jdaugherty

Snakeyaml is also being updated as part of the Grails 5.3.5 release and this in turn causes a substantial amount of plugin versions to mismatch / need upgrading. Specifically, snakeyaml 2.0 is incompatible with certain older versions of jackson. Was the snakeyaml change needed for the binding fix?

@jglapa

After the upgrade from 3.3.15 to 3.3.17 we encountered a problem with startup of our app in tomcat8.
I see that snakeyaml-2.2.jar is properly bundled with the war, still this is being thrown upon startup.
Any ideas what could that be?

Investigating…

[bryndavies]

Hi, we are also running a legacy app that is on Grails 3.3.15. After the 3.3.17 upgrade we are seeing similar compatibility issues as mentioned above.
Force downgrading snakeyaml to 1.x doesnt work for us as the Grails CLI and GroovyPageCompiler both use the new LoaderOptions class, eg:

java.lang.ClassNotFoundException: org.yaml.snakeyaml.LoaderOptions
	at java.net.URLClassLoader.findClass(URLClassLoader.java:387)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
	at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:157)
	at org.grails.config.CodeGenConfig$_loadYml_closure1.doCall(CodeGenConfig.groovy:133)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
	at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:264)
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
	at groovy.lang.Closure.call(Closure.java:420)
	at groovy.lang.Closure.call(Closure.java:436)
	at org.codehaus.groovy.runtime.IOGroovyMethods.withStream(IOGroovyMethods.java:1215)
	at org.codehaus.groovy.runtime.ResourceGroovyMethods.withInputStream(ResourceGroovyMethods.java:1701)
	at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:132)
	at org.grails.cli.GrailsCli.loadApplicationConfig(GrailsCli.groovy:589)`

is there any update on this issue at this stage?

[bilgehanm]

Hi, same problem after upgrading from to 3.3.9 to to 3.3.17

[mattmoss]

My apologies for the problems. We're working on it. I should have an answer for you all soon.

[mattmoss]

For those who have had issues with 3.3.17 or 5.3.5, please give 3.3.18 or 5.3.6 a try.

While fixing the CVE, an unrelated update was made that caused a major version bump to SnakeYAML. These latest patch releases reverted that SnakeYAML change.

@jdaugherty @jglapa @bryndavies

[mattmoss]

Version 4.1.x was also patched to 4.1.4 to revert the SnakeYAML change, and the blog post was updated with the fixed releases.

[motohi]

Hi,Execution of grails command is failing. Isn't the projectVersion variable 4.1.4-SNAPSHOT in the first line of gradle.properties incorrect? Isn't it necessary to modify projectVersion=4.1.4?

[mattmoss]

Hi,Execution of grails command is failing. Isn't the projectVersion variable 4.1.4-SNAPSHOT in the first line of gradle.properties incorrect? Isn't it necessary to modify projectVersion=4.1.4?

I'm looking into this.

[mattmoss]

@motohi
The 4.1.4 release should be fixed.

[motohi]

@mattmoss
Thanks for the update. However, an error still occurs when executing the gradle. Probably this repository does not have 4.1.4/, which is why the error occurs.
https://repo.grails.org/ui/native/core/org/grails/grails-gradle-plugin

You can see the runtime output in related issues.
#13378

[matrei]

I think this is because there is no 4.1.4 release of Grails Gradle Plugin.

Before Grails 5 the versions of Grails and the Grails Gradle Plugin where connected:
https://docs.grails.org/5.0.0/guide/single.html#_grails_gradle_plugin

So the solution seems to be to make a 4.1.4 release of Grails Gradle Plugin.

[mattmoss]

@puneetbehl Can you confirm/release v4.1.4 of the Gradle plugin?

[mattmoss]

@motohi @matrei Grails Gradle Plugin has been updated for 4.1.4.

[boardbloke]

I'm trying to upgrade a Grails App from 5.3.67 to 6.2.0, or 6.1.2 and in both cases I can see (via the Gradle project-report plugin) that snakeyaml 2.x is pulled in and is overriding the default version provided by Spring Boot.

That is - e.g.:

1. Install Grails 6..0.
2. Run grails create-app to create a web app
3. Modify build.gradle, or settings.gradle to add the "project-report" plugin
4. Run the report-report task to get a dependencies.txt in the build folder
5. Look at the report and notice snakeyaml 2.x is transitively pulled in in a number of places

I note that Grails 5.3.6 does not do this - presumably as the result of the work done above?

Anyway the Boot guys seem to be sayin that snakeyaml 2.x cannot be used with Boot 2.7.x so will Grails 6.x still work if I force the snakyaml version down to 1.3 in the build.gradle

Cheers
Neill

[mattmoss]

@boardbloke
You should be okay if you downgrade snakeyaml to 1.3 in your build.gradle. I did a quick experiment to that effect and I didn't run into any problems.

I believe snakeyaml was upgraded to eliminate certain CVEs (unrelated to this thread), but I don't believe grails-core (i.e. the module requiring snakeyaml 2.2) made any related changes.

@puneetbehl Do you have any comments on this?

[boardbloke]

Done that, and it appears to work.

I gues the only further comment I have is that if Grails 6.x is targetting Spring Boot 2.7.x then it shouldn't be upgrading snakeyaml to 2.2. Every project will have to downgrade it again to get it to work.

I.e. upgrading snakeyaml in Grails doesn't really "fix" anything.

Cheers
N

[mattmoss]

@boardbloke I don't have the info for you about reasons for the Grails 6.x change, and unfortunately, I am no longer with the Grails team in any capacity, so I personally cannot help here much further.

Since this particular issues was for CVE-2023-46131, I would recommend opening a new issue to deal with that particular bit (i.e. snakeyaml and Spring Boot versions), and hopefully whoever is still on the Grails team can address that issue.