Grafana 5.4.5 and 6.3.4 Released with Important Security Fix

Today we are releasing Grafana 5.4.5 and 6.3.4. These patch releases include an important security fix that affects all Grafana versions between 2.0.0 and 6.3.3.

Latest stable release in 5.x:

• Download Grafana 5.4.5
• Release notes

Latest stable release in 6.x:

• Download Grafana 6.3.4
• Release notes

Incorrect Access Control Vulnerability (CVE-2019-15043)

We received a security report to security@grafana.com on August 12, 2019, about a vulnerability in Grafana involving incorrect access to the HTTP API. It was later identified as affecting Grafana versions from 2.0.0 to 6.3.3. CVE-2019-15043 has been reserved for this vulnerability.

This vulnerability allows a user/client to access parts of the Grafana HTTP API without being authenticated. This makes it possible to run a denial of service attack against the server running Grafana.

Affected Versions

Grafana releases 2.0.0 through 6.3.3

Solutions and Mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers have been provided with updated binaries.

Timeline and Postmortem

Here is a detailed timeline starting from when we originally learned of the issue.

August 12, 2019

• 16:10 CEST: Received vulnerability report to security@grafana.com from Jean-Louis Dupond.
• 16:20 CEST: Confirmed issue and determined that versions from 2.0.0 to 6.3.3 including Grafana Cloud are affected.
• 16:30 CEST: Let the reporter know that we’ve confirmed the issue as a security vulnerability and that it will be fixed and released in the next upcoming release.

August 13, 2019

• 09:00 CEST: Assigned Marcus Efraimsson (@marefr) to be responsible for the patch release and Leonard Gram (@xlson) to assist when needed.
• 10:40 CEST: A release plan was established.
• 11:00 CEST: Started work on security fix for Grafana v6.3.x in private mirror.

August 14, 2019

• 14:46 CEST: Requested a new CVE id for the vulnerability.
• 16:57 CEST: Confirmation that CVE-2019-15043 has been reserved.

August 19, 2019

• 14:27 CEST: Merged security fix to v6.3.x release branch in private mirror.
• 14:30 CEST: Started work of backporting security fix to v5.4.x release branch in private mirror.
• 16:38 CEST: Merged security fix to v5.4.x release branch in private mirror.
• 18:00 CEST: Built private release of Grafana OSS and Grafana Enterprise v5.4.5.

August 20, 2019

• 14:00 CEST: Built private release of Grafana OSS and Grafana Enterprise v6.3.4.

August 21, 2019

• 20:03 CEST: Grafana and Grafana Enterprise v6.3.4 images built for Grafana Cloud.

August 22, 2019

• 17:53 CEST: Grafana and Grafana Enterprise v6.3.4 available in Grafana Cloud.
• 17:55 CEST: Proactively provided Grafana Enterprise customers and partners with details and links to patched versions.

August 27, 2019

• 15:19: Patch rolled out to Grafana Cloud.

August 29, 2019

• 13:00 CEST: Released 5.4.5 and 6.3.4.
• 13:00 CEST: Published this blog post.

September 2, 2019

• 13:00 CEST: The patch will be merged from our private mirror into grafana master.

Reporting Security Issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’s open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from pgp.mit.edu by searching for grafana.

Security Announcements

We maintain a category on the community site named Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our Security Announcements RSS feed.

Conclusion

If you run a Grafana instance between version 2.0.0 and 6.3.3, please upgrade to Grafana 5.4.5 or 6.3.4 as soon as possible.