An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. References: https://exchange.xforce.ibmcloud.com/vulnerabilities/167244 https://security.netapp.com/advisory/ntap-20191009-0002/
Grafana 6.2.0-beta1 (2019-05-07) contains the following fix: - Security: Store data source passwords encrypted in secureJsonData. #16175, @aocenas Looks like all versions prior to 6.2.0-beta1 are affected. I've tested it with Grafana 6.1.6 (vulnerable) and Grafana 6.2.0-beta1 (not vulnerable).
One more note: we started to deliver grafana package in RHEL-8.1. We do not deliver grafana package in older versions of RHEL. The version delivered in RHEL-8.1 is grafana-6.2.2 and is not affected by this CVE.
ServiceMesh uses Grafana 6.2.2. Related commits in date order 66f6e16 - Security: Store datasource passwords encrypted in secureJsonData (#16175) (post 5.4 pre 6.0) 151b24b - CLI: Add command to migrate all datasources to use encrypted password fields (#17118)
The following containers are packaged with OpenShift 3.11 and OpenShift 4.1 and contain a vulnerable version of grafana (5.4.2): - openshift4/ose-grafana - openshift3/grafana Grafana is included as read-only and the data source's setting menu cannot be accessed, meaning that whilst the vulnerable code is present the plain text passwords cannot be viewed. As twalsh stated, the two patches are: https://github.com/grafana/grafana/commit/66f6e16916fa1813e30c2ddd271acaf511cee560 https://github.com/grafana/grafana/commit/151b24b95fb52a777533c9fd76db48ae8967a74e OpenShift 4.2 and newer openshift4/ose-grafana use at least Grafana 6.2.4 which is not vulnerable.
Upstream bug and pull request: https://github.com/grafana/grafana/issues/10827 https://github.com/grafana/grafana/pull/16175
Statement: Grafana instances packaged with OpenShift Container Platform (OCP) are read-only by default, see [1]. OCP is rated as low because when a user with the correct roles, [2], accesses the Grafana dashboard the data source settings menu is not available by default - preventing access to the plain-text credentials. [1] https://docs.openshift.com/container-platform/3.11/install_config/prometheus_cluster_monitoring.html#accessing-prometheus-alertmanager-and-grafana_prometheus-cluster-monitoring [2] https://docs.openshift.com/container-platform/4.2/monitoring/cluster-monitoring/prometheus-alertmanager-and-grafana.html#monitoring-accessing-prometheus-alertmanager-grafana-directly_accessing-prometheus