Bug 1827765 (CVE-2020-12458) - CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db
Summary: CVE-2020-12458 grafana: information disclosure through world-readable /var/li...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12458
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1828735 1829987 1829988 1829989 1830006 1832212 1832637 1832638
Blocks: 1825837
TreeView+ depends on / blocked
 
Reported: 2020-04-24 18:17 UTC by Hardik Vyas
Modified: 2021-02-16 20:12 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information-disclosure flaw was found in the way Grafana set permissions for the database directory and file. This flaw allows a local attacker access to potentially sensitive information such as cleartext or encrypted datasource passwords from /var/lib/grafana/grafana.db.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:25:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4682 0 None None None 2020-11-04 02:59:36 UTC

Description Hardik Vyas 2020-04-24 18:17:39 UTC 
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

Notable fixes which removes readable bits:

- change permissions of /var/lib/grafana/grafana.db to 640 and user/group grafana:grafana
- change permissions of /var/lib/grafana to 750

Commits:

https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
https://src.fedoraproject.org/rpms/grafana/c/925160cd8de011ab33609023abf961f4ff6ba804
https://src.fedoraproject.org/rpms/grafana/c/f7791a6ad70b7e9da1a30774434fed0eaa5a04a1
Comment 3 Hardik Vyas 2020-04-28 09:25:25 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1828735]
Comment 10 Hardik Vyas 2020-04-30 07:57:04 UTC 
Mitigation:

Manually change the directory and files permissions to remove readable bits for others:

# chmod 750 /var/lib/grafana
# chmod 640 /var/lib/grafana/grafana.db
# chown grafana:grafana /var/lib/grafana/grafana.db
Comment 20 Mark Cooper 2020-05-05 05:45:04 UTC 
ServiceMesh grafana also sets its grafana.db permissions to world readable, however it's located at /data/grafana:

bash-4.4$ ls -lah /data/grafana/grafana.db
-rw-r--r--. 1 1000570000 1000570000 992K May  5 04:36 grafana.db
Comment 21 Mark Cooper 2020-05-05 06:14:26 UTC 
Lowered the Severity Rating for ServiceMesh grafana. It would require an unlikely set of circumstances for this to be exploited (also increasing the attack complexity) due to grafana running within a container in ServiceMesh.
Comment 24 Jason Shepherd 2020-05-07 00:48:57 UTC 
OCP 3.11 installs Grafana 5.4.3 which is vulnerable to this issue, despite being in the 5.x version series.
Comment 26 Mark Cooper 2020-05-07 04:06:49 UTC 
Statement:

The versions of grafana shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 3 and 4 sets the world readable permissions on grafana database directory and file, hence affected by this vulnerability.
 
In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.
Comment 27 Product Security DevOps Team 2020-11-04 02:25:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12458
Comment 28 errata-xmlrpc 2020-11-04 02:59:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682
Note You need to log in before you can comment on or make changes to this bug.