For Grafana versions 6.x through 6.4.3 distributed by Red Hat, configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml which contains secret_key and bind_password are world readable. Grafana Versions 5.x : sets correct file permission 0640 ==================== %files [...] %attr(0640, root, grafana) %{_sysconfdir}/%{name}/grafana.ini %attr(0640, root, grafana) %{_sysconfdir}/%{name}/ldap.toml Grafana Version 6.x through 6.4.3 : sets insecure file permission 0644 ================================= # config defaults install -p -m 644 conf/distro-defaults.ini \ %{buildroot}%{_sysconfdir}/%{binary_name}/grafana.ini install -p -m 644 conf/distro-defaults.ini \ %{buildroot}%{_datadir}/%{binary_name}/conf/defaults.ini install -p -m 644 conf/ldap.toml %{buildroot}%{_sysconfdir}/%{binary_name}/ldap.toml install -p -m 644 packaging/rpm/sysconfig/grafana-server \ %{buildroot}%{_sysconfdir}/sysconfig/grafana-server # config files %dir %{_sysconfdir}/%{binary_name} %config(noreplace) %attr(644, root, root) %{_sysconfdir}/%{binary_name}/grafana.ini %config(noreplace) %attr(644, root, root) %{_sysconfdir}/%{binary_name}/ldap.toml %config(noreplace) %{_sysconfdir}/sysconfig/grafana-server Notable fixes which removes readable bits: - change permissions of grafana.ini and ldap.toml to 640(contains secret_key/bind_password) Commit: - https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
Mitigation: Manually change the files permission to remove readable bits for others: # chmod 640 /etc/grafana/grafana.ini /etc/grafana/ldap.toml
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1829998]
ServiceMesh packages grafana v6.4.3 which incorrectly sets the file permission of grafana.ini and ldap.toml to 644.
Lowered the Severity Rating for ServiceMesh grafana. It would require an unlikely set of circumstances for this to be exploited (also increasing the attack complexity) due to grafana running within a container in ServiceMesh.
OCP 3.11 installs Grafana 5.4.3 which is vulnerable to this issue, despite being in the 5.x version series.
Statement: Red Hat Ceph Storage 3 and 4 are not affected by this vulnerability, as the shared grafana container uses grafana v5.2.4 which sets correct permissions for configuration files. This issue did not affect the version of grafana as shipped with Red Hat Gluster Storage 3, as it ships grafana v4.6.4 which sets correct permissions for configuration files. In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it's run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.
This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12459
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682