The snapshot feature in Grafana before 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. References: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1941025]
Statement: While in OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) there is shipped a vulnerable version of grafana, access to the grafana panel is behind OpenShift OAuth proxy and requires admin permissions. Therefore these components are affected but with impact Low. Red Hat Ceph Storage (RHCS) and Red Hat Gluster Storage 3 does not ship the directly affected code, however, they are still affected by this vulnerability because it allows the same configuration of anonymous snapshots, hence this issue has been rated as having a security impact of Low.
Upstream fix: https://github.com/grafana/grafana/commit/064546f3823ea40f59c22832f1966524f798f8be
External References: https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27358
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226