Bug 1827765 (CVE-2020-12458)
Summary: | CVE-2020-12458 grafana: information disclosure through world-readable /var/lib/grafana/grafana.db | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Hardik Vyas <hvyas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gmeno, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mbenjamin, mcooper, mgoodwin, mhackett, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, security-response-team, sponnaga, surbania, toneata, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
An information-disclosure flaw was found in the way Grafana set permissions for the database directory and file. This flaw allows a local attacker access to potentially sensitive information such as cleartext or encrypted datasource passwords from /var/lib/grafana/grafana.db.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:25:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1828735, 1829987, 1829988, 1829989, 1830006, 1832212, 1832637, 1832638 | ||
Bug Blocks: | 1825837 |
Description
Hardik Vyas
2020-04-24 18:17:39 UTC
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1828735] Mitigation: Manually change the directory and files permissions to remove readable bits for others: # chmod 750 /var/lib/grafana # chmod 640 /var/lib/grafana/grafana.db # chown grafana:grafana /var/lib/grafana/grafana.db ServiceMesh grafana also sets its grafana.db permissions to world readable, however it's located at /data/grafana: bash-4.4$ ls -lah /data/grafana/grafana.db -rw-r--r--. 1 1000570000 1000570000 992K May 5 04:36 grafana.db Lowered the Severity Rating for ServiceMesh grafana. It would require an unlikely set of circumstances for this to be exploited (also increasing the attack complexity) due to grafana running within a container in ServiceMesh. OCP 3.11 installs Grafana 5.4.3 which is vulnerable to this issue, despite being in the 5.x version series. Statement: The versions of grafana shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 3 and 4 sets the world readable permissions on grafana database directory and file, hence affected by this vulnerability. In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12458 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682 |