Bug 1746945 (CVE-2019-15043) - CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service
Summary: CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15043
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1747423 1747308 1747309 1747310 1747311 1747424 1753408
Blocks: 1746950
TreeView+ depends on / blocked
 
Reported: 2019-08-29 14:49 UTC by msiddiqu
Modified: 2020-04-28 16:34 UTC (History)
30 users (show)

Fixed In Version: grafana 5.4.5, grafana 6.3.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:34:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1659 None None None 2020-04-28 15:36:58 UTC

Description msiddiqu 2019-08-29 14:49:29 UTC
This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshotsHTTP API endpoint.

Comment 2 Sam Fowler 2019-08-30 05:37:02 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1747308]

Comment 6 Hardik Vyas 2019-08-30 12:09:34 UTC
Mitigation:

Block access to the snapshot feature by blocking the /api/snapshots 
URL via a web application firewall, load balancer, reverse proxy etc.

You can also set 'external_enabled' to false to disable external 
snapshot publish endpoint (default true). Note, it will completely
disable this feature.

# cat /etc/grafana/grafana.ini
[...]
[snapshots]
# snapshot sharing options
external_enabled = false
external_snapshot_url = https://snapshots-origin.raintank.io
external_snapshot_name = Publish to snapshot.raintank.io
[...]

Comment 8 msiddiqu 2019-08-30 13:42:47 UTC
Acknowledgments:

Name: the Grafana team

Comment 10 Hardik Vyas 2019-09-04 11:16:32 UTC
Statement:

OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform.
This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.

Comment 13 Pawel Krupa 2020-03-18 08:22:07 UTC
`/api/snapshots` endpoint is deeply integrated in grafana codebase and CANNOT be completely disabled. One can only disable sharing snapshots externally with `external_enabled = false` option [1], which removes `/api/snapshot/shared-options` endpoint [2].

In OpenShift all grafana endpoints are protected with oauth-proxy, preventing access to Grafana without authentication.

I would argue that in case of OpenShift this is not an issue.


[1]: https://grafana.com/docs/grafana/latest/installation/configuration/#snapshots
[2]: https://github.com/grafana/grafana/blob/master/public/app/features/dashboard/components/ShareModal/ShareSnapshot.tsx#L61-L67

Comment 14 errata-xmlrpc 2020-04-28 15:36:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1659 https://access.redhat.com/errata/RHSA-2020:1659

Comment 15 Product Security DevOps Team 2020-04-28 16:34:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15043


Note You need to log in before you can comment on or make changes to this bug.