Bug 1843640 (CVE-2020-13379)
| Summary: | CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gmeno, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mbenjamin, mcooper, mgoodwin, mhackett, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, scorneli, sponnaga, surbania, vbellur, vereddy, vz.mec |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | grafana 7.0.2, grafana 6.7.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return its result to the user or client. Additionally, the same issue can create a NULL pointer dereference vulnerability. This flaw allows an attacker to gain information about the network that Grafana is running on, or cause a segmentation fault, resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-22 11:20:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1843642, 1843777, 1843778, 1843964, 1847260, 1847261, 1847262, 1847263, 1847310, 1847459, 1847519, 1847520, 1847521, 1847543, 1847552 | ||
| Bug Blocks: | 1843641 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-06-03 17:20:27 UTC
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1843642] OpenShift packages a vulnerable version of grafana: - OpenShift 3.11 grafana v5.2.3 - OpenShift 4.x grafana v6.4.3 ServiceMesh also packages a vulnerable version: - ServiceMesh 1.0.x grafana v6.4.3 - ServiceMesh 1.1.x grafana v6.2.2 Additionally, this vulnerability can result in a remote DoS of the service as confirmed by upstream grafana: https://www.openwall.com/lists/oss-security/2020/06/09/2/ It's the same vulnerability, i.e. not validating the /avatar/*md5* without authentication, just different result. Raising the impact to Important (updated CVSS), as this is now essentially a remote DoS with no authentication required. Have increased OpenShift and Service to Moderate, as although they are still protected via the OAuth wall any pod on the cluster network can send to this URL and perform the SSRF or now DoS. External References: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ https://www.openwall.com/lists/oss-security/2020/06/09/2/ Mitigation: This issue can be mitigated by blocking access to the URL path /avatar/*, through a method such as a reverse proxy, load balancer, application firewall etc. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2641 https://access.redhat.com/errata/RHSA-2020:2641 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13379 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2676 https://access.redhat.com/errata/RHSA-2020:2676 This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2792 https://access.redhat.com/errata/RHSA-2020:2792 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2020:5599 https://access.redhat.com/errata/RHSA-2020:5599 Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the Grafana containers are behind OpenShift OAuth restricting access to the vulnerable path to authenticated users only. However, other pods may still access the vulnerable URL within the cluster. Therefore the impact is moderate for both (OCP and OSSM). Red Hat Ceph Storage 2 is now in Extended Life Support (ELS) Phase of the support. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Ceph Storage Life Cycle: https://access.redhat.com/support/policy/updates/ceph-storage This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:0083 https://access.redhat.com/errata/RHSA-2021:0083 This issue has been addressed in the following products: Red Hat Ceph Storage 3 - ELS Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518 |