Bug 1746945 (CVE-2019-15043)
| Summary: | CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agerstmayr, ahardin, alegrand, anpicker, bleanhar, bmontgom, ccoleman, dedgar, eparis, erooth, grafana-maint, jburrell, jgoulding, jkurik, jokerman, kakkoyun, lcosic, mchappel, mgoodwin, mloibl, nathans, nstielau, pkrupa, puebele, security-response-team, sfowler, sisharma, sponnaga, surbania, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grafana 5.4.5, grafana 6.3.4 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:34:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1747308, 1747309, 1747310, 1747311, 1747423, 1747424, 1753408 | ||
| Bug Blocks: | 1746950 | ||
|
Description
msiddiqu
2019-08-29 14:49:29 UTC
External Reference: https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/ Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1747308] Upstream patches: https://github.com/grafana/grafana/commit/ebc257ad47133eb12ae63160c8b7307306f9ced8 [5.4.5] https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4 [6.3.4] Mitigation: Block access to the snapshot feature by blocking the /api/snapshots URL via a web application firewall, load balancer, reverse proxy etc. You can also set 'external_enabled' to false to disable external snapshot publish endpoint (default true). Note, it will completely disable this feature. # cat /etc/grafana/grafana.ini [...] [snapshots] # snapshot sharing options external_enabled = false external_snapshot_url = https://snapshots-origin.raintank.io external_snapshot_name = Publish to snapshot.raintank.io [...] Acknowledgments: Name: the Grafana team Statement: OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform. This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality. `/api/snapshots` endpoint is deeply integrated in grafana codebase and CANNOT be completely disabled. One can only disable sharing snapshots externally with `external_enabled = false` option [1], which removes `/api/snapshot/shared-options` endpoint [2]. In OpenShift all grafana endpoints are protected with oauth-proxy, preventing access to Grafana without authentication. I would argue that in case of OpenShift this is not an issue. [1]: https://grafana.com/docs/grafana/latest/installation/configuration/#snapshots [2]: https://github.com/grafana/grafana/blob/master/public/app/features/dashboard/components/ShareModal/ShareSnapshot.tsx#L61-L67 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1659 https://access.redhat.com/errata/RHSA-2020:1659 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15043 |