Bug 1624088 (CVE-2018-15727)

Summary: CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chrisw, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mmagr, rbryant, sclewis, sisharma, slinaber, ssaha, tdecacqu, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 5.2.3, grafana 4.6.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1626399, 1626400, 1626401, 1626866, 1626867    
Bug Blocks: 1624089    

Description Laura Pardo 2018-08-30 22:11:09 UTC 
A flaw was found in Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.


References:
https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/
Comment 1 Siddharth Sharma 2018-08-31 11:11:04 UTC 
Reading code following seem to be fixes for this

For 5.2.x: https://github.com/grafana/grafana/commit/df83bf10a225811927644bdf6265fa80bdea9137
For 4.6.x: https://github.com/grafana/grafana/commit/7baecf0d0deae0d865e45cf03e082bc0db3f28c3
Comment 4 Siddharth Sharma 2018-09-07 06:22:37 UTC 
Mitigation:

As per upstream (https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix)

* Switch to authentication mechanism other than LDAP or OAuth
* Grafana should be isolated from public networks
Comment 9 errata-xmlrpc 2018-12-17 17:06:21 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2018:3829 https://access.redhat.com/errata/RHSA-2018:3829
Comment 10 errata-xmlrpc 2019-01-03 17:44:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 3.2

Via RHSA-2019:0019 https://access.redhat.com/errata/RHSA-2019:0019