Bug 1829724 (CVE-2020-12459)
| Summary: | CVE-2020-12459 grafana: information disclosure through world-readable grafana configuration files | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Hardik Vyas <hvyas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agerstmayr, alegrand, anpicker, bmontgom, eparis, erooth, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mcooper, mgoodwin, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, sponnaga, surbania, toneata, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grafana 6.7.3-1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An information-disclosure flaw was found in Grafana distributed by Red Hat. This flaw allows a local attacker access to potentially sensitive information such as secret_key and a bind_password from the world-readable files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-02 17:20:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1829998, 1830002, 1832637, 1832638 | ||
| Bug Blocks: | 1825837 | ||
Mitigation: Manually change the files permission to remove readable bits for others: # chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1829998] ServiceMesh packages grafana v6.4.3 which incorrectly sets the file permission of grafana.ini and ldap.toml to 644. Lowered the Severity Rating for ServiceMesh grafana. It would require an unlikely set of circumstances for this to be exploited (also increasing the attack complexity) due to grafana running within a container in ServiceMesh. OCP 3.11 installs Grafana 5.4.3 which is vulnerable to this issue, despite being in the 5.x version series. Statement: Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files. This issue did not affect the version of grafana as shipped with Red Hat Gluster Storage 3, as it ships grafana v4.6.4 which sets correct permissions for configuration files. In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low. This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12459 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682 |
For Grafana versions 6.x through 6.4.3 distributed by Red Hat, configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contains secret_key and bind_password are world readable. Grafana Versions 5.x : sets correct file permission 0640 ==================== %files [...] %attr(0640, root, grafana) %{_sysconfdir}/%{name}/grafana.ini %attr(0640, root, grafana) %{_sysconfdir}/%{name}/ldap.toml Grafana Version 6.x through 6.4.3 : sets insecure file permission 0644 ================================= # config defaults install -p -m 644 conf/distro-defaults.ini \ %{buildroot}%{_sysconfdir}/%{binary_name}/grafana.ini install -p -m 644 conf/distro-defaults.ini \ %{buildroot}%{_datadir}/%{binary_name}/conf/defaults.ini install -p -m 644 conf/ldap.toml %{buildroot}%{_sysconfdir}/%{binary_name}/ldap.toml install -p -m 644 packaging/rpm/sysconfig/grafana-server \ %{buildroot}%{_sysconfdir}/sysconfig/grafana-server # config files %dir %{_sysconfdir}/%{binary_name} %config(noreplace) %attr(644, root, root) %{_sysconfdir}/%{binary_name}/grafana.ini %config(noreplace) %attr(644, root, root) %{_sysconfdir}/%{binary_name}/ldap.toml %config(noreplace) %{_sysconfdir}/sysconfig/grafana-server Notable fixes which removes readable bits: - change permissions of grafana.ini and ldap.toml to 640(contains secret_key/bind_password) Commit: - https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277