An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Reference: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1843642]
OpenShift packages a vulnerable version of grafana: - OpenShift 3.11 grafana v5.2.3 - OpenShift 4.x grafana v6.4.3 ServiceMesh also packages a vulnerable version: - ServiceMesh 1.0.x grafana v6.4.3 - ServiceMesh 1.1.x grafana v6.2.2
Additionally, this vulnerability can result in a remote DoS of the service as confirmed by upstream grafana: https://www.openwall.com/lists/oss-security/2020/06/09/2/ It's the same vulnerability, i.e. not validating the /avatar/*md5* without authentication, just different result. Raising the impact to Important (updated CVSS), as this is now essentially a remote DoS with no authentication required. Have increased OpenShift and Service to Moderate, as although they are still protected via the OAuth wall any pod on the cluster network can send to this URL and perform the SSRF or now DoS.
External References: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ https://www.openwall.com/lists/oss-security/2020/06/09/2/
upstream fix: https://github.com/grafana/grafana/commit/7a9c0e31eca4958f5fba053cfea9e64a2ea58509
Mitigation: This issue can be mitigated by blocking access to the URL path /avatar/*, through a method such as a reverse proxy, load balancer, application firewall etc.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2641 https://access.redhat.com/errata/RHSA-2020:2641
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13379
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2676 https://access.redhat.com/errata/RHSA-2020:2676
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2792 https://access.redhat.com/errata/RHSA-2020:2792
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2020:5599 https://access.redhat.com/errata/RHSA-2020:5599
Statement: In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the Grafana containers are behind OpenShift OAuth restricting access to the vulnerable path to authenticated users only. However, other pods may still access the vulnerable URL within the cluster. Therefore the impact is moderate for both (OCP and OSSM). Red Hat Ceph Storage 2 is now in Extended Life Support (ELS) Phase of the support. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Ceph Storage Life Cycle: https://access.redhat.com/support/policy/updates/ceph-storage
This issue has been addressed in the following products: Red Hat Ceph Storage 4.2 Via RHSA-2021:0083 https://access.redhat.com/errata/RHSA-2021:0083
This issue has been addressed in the following products: Red Hat Ceph Storage 3 - ELS Via RHSA-2021:1518 https://access.redhat.com/errata/RHSA-2021:1518