Bug 1768007 (CVE-2019-15635)
| Summary: | CVE-2019-15635 grafana: passwords for data sources are not encrypted | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agerstmayr, alegrand, anpicker, bmontgom, eparis, erooth, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mcooper, mgoodwin, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, sisharma, sponnaga, surbania, tbowling, twalsh, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grafana 6.2.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-12-18 07:49:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1783113, 1783114 | ||
| Bug Blocks: | 1768008 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-11-01 20:46:54 UTC
Grafana 6.2.0-beta1 (2019-05-07) contains the following fix: - Security: Store data source passwords encrypted in secureJsonData. #16175, @aocenas Looks like all versions prior to 6.2.0-beta1 are affected. I've tested it with Grafana 6.1.6 (vulnerable) and Grafana 6.2.0-beta1 (not vulnerable). One more note: we started to deliver grafana package in RHEL-8.1. We do not deliver grafana package in older versions of RHEL. The version delivered in RHEL-8.1 is grafana-6.2.2 and is not affected by this CVE. ServiceMesh uses Grafana 6.2.2. Related commits in date order 66f6e16 - Security: Store datasource passwords encrypted in secureJsonData (#16175) (post 5.4 pre 6.0) 151b24b - CLI: Add command to migrate all datasources to use encrypted password fields (#17118) The following containers are packaged with OpenShift 3.11 and OpenShift 4.1 and contain a vulnerable version of grafana (5.4.2):
- openshift4/ose-grafana
- openshift3/grafana
Grafana is included as read-only and the data source's setting menu cannot be accessed, meaning that whilst the vulnerable code is present the plain text passwords cannot be viewed.
As twalsh stated, the two patches are:
https://github.com/grafana/grafana/commit/66f6e16916fa1813e30c2ddd271acaf511cee560
https://github.com/grafana/grafana/commit/151b24b95fb52a777533c9fd76db48ae8967a74e
OpenShift 4.2 and newer openshift4/ose-grafana use at least Grafana 6.2.4 which is not vulnerable.
Upstream bug and pull request: https://github.com/grafana/grafana/issues/10827 https://github.com/grafana/grafana/pull/16175 Statement: Grafana instances packaged with OpenShift Container Platform (OCP) are read-only by default, see [1]. OCP is rated as low because when a user with the correct roles, [2], accesses the Grafana dashboard the data source settings menu is not available by default - preventing access to the plain-text credentials. [1] https://docs.openshift.com/container-platform/3.11/install_config/prometheus_cluster_monitoring.html#accessing-prometheus-alertmanager-and-grafana_prometheus-cluster-monitoring [2] https://docs.openshift.com/container-platform/4.2/monitoring/cluster-monitoring/prometheus-alertmanager-and-grafana.html#monitoring-accessing-prometheus-alertmanager-grafana-directly_accessing-prometheus |