This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshotsHTTP API endpoint.
External Reference: https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1747308]
Upstream patches: https://github.com/grafana/grafana/commit/ebc257ad47133eb12ae63160c8b7307306f9ced8 [5.4.5] https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4 [6.3.4]
Mitigation: Block access to the snapshot feature by blocking the /api/snapshots URL via a web application firewall, load balancer, reverse proxy etc. You can also set 'external_enabled' to false to disable external snapshot publish endpoint (default true). Note, it will completely disable this feature. # cat /etc/grafana/grafana.ini [...] [snapshots] # snapshot sharing options external_enabled = false external_snapshot_url = https://snapshots-origin.raintank.io external_snapshot_name = Publish to snapshot.raintank.io [...]
Acknowledgments: Name: the Grafana team
Statement: OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform. This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.
`/api/snapshots` endpoint is deeply integrated in grafana codebase and CANNOT be completely disabled. One can only disable sharing snapshots externally with `external_enabled = false` option [1], which removes `/api/snapshot/shared-options` endpoint [2]. In OpenShift all grafana endpoints are protected with oauth-proxy, preventing access to Grafana without authentication. I would argue that in case of OpenShift this is not an issue. [1]: https://grafana.com/docs/grafana/latest/installation/configuration/#snapshots [2]: https://github.com/grafana/grafana/blob/master/public/app/features/dashboard/components/ShareModal/ShareSnapshot.tsx#L61-L67
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1659 https://access.redhat.com/errata/RHSA-2020:1659
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15043