Bug 1873615 (CVE-2019-19499)

Summary: CVE-2019-19499 grafana: arbitrary file read via MySQL data source
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alegrand, amctagga, anpicker, bmontgom, eparis, erooth, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mgoodwin, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, sponnaga, surbania
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana-6.4.4 Doc Type: If docs needed, set a value
Doc Text:
Grafana has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:26:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1874789, 1875269, 1882158, 1882159, 1882226, 1882516    
Bug Blocks: 1873616    

Description Guilherme de Almeida Suckevicz 2020-08-28 18:42:42 UTC 
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.

Reference:
https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/
Comment 1 Jason Shepherd 2020-09-01 05:42:32 UTC 
Upstream commit: 
https://github.com/grafana/grafana/commit/e32ee480f56657789beea010f12baf01b44b4cfe
Comment 2 Przemyslaw Roguski 2020-09-01 14:42:58 UTC 
External References:

https://swarm.ptsecurity.com/grafana-6-4-3-arbitrary-file-read/
Comment 14 Sage McTaggart 2020-09-24 19:34:20 UTC 
Statement:

A vulnerable version of Grafana is shipped in OpenShift 3.11 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to MySQL requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. 

Red Hat Ceph Storage 3 and 4 ships an older version of the affected code, which is still possible to exploit. However, Ceph 3 and 4 do not use mysql as a datasource, therefore, the impact is low.

Red Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.
Comment 15 Product Security DevOps Team 2020-11-04 02:26:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19499
Comment 16 errata-xmlrpc 2020-11-04 02:59:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682