Bug 1938981 (CVE-2021-28148)

Summary: CVE-2021-28148 grafana: usage insights API endpoint doesn't limit number of requests which could result in DoS
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, grafana-maint, hvyas, jburrell, jkurik, jokerman, jramanat, jweiser, jwendell, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, nathans, nstielau, pkrupa, puebele, rcernich, security-response-team, sostapov, sponnaga, stcannon, surbania, thee, twalsh, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Grafana Enterprise 7.4.5, Grafana Enterprise 6.7.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana Enterprise. The HTTP API endpoint for usage insights can be used by any unauthenticated user to send an unlimited number of requests to that endpoint, leading to a denial of service (DoS). The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-29 11:35:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1938968    

Description Michael Kaplan 2021-03-15 12:03:05 UTC 
Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage insights which allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attacks against Grafana Enterprise instances. We have reserved CVE-2021-28148 for this issue. This vulnerability allows users to perform DoS attacks.
Comment 2 Sage McTaggart 2021-03-15 19:15:03 UTC 
Statement:

Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.
Comment 3 Przemyslaw Roguski 2021-03-18 17:44:50 UTC 
External References:

https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18
Comment 4 Product Security DevOps Team 2021-03-29 11:35:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28148