Grafana 6.7.6, 7.3.10, and 7.4.5 released with important security fixes for Grafana Enterprise
We released Grafana 6.7.6, 7.3.10, and 7.4.5 today. These patch releases include important security fixes for all Grafana Enterprise versions from 6.1.0-beta1 through 7.4.4. Grafana OSS is not affected, as it does not use the features affected by the vulnerabilities. These are janitorial releases to keep version information in sync.
Release 7.4.5, only containing a security fix:
Release 7.3.10, only containing a security fix:
Release 6.7.6, only containing a security fix:
Remote escalation of privileges vulnerability (CVE-2021-27962)
On February 26, during an internal security audit, we discovered that Grafana Enterprise 7.2.0 introduced a mechanism that allows users with the Editor role to bypass data source permissions on an organization’s default data source, if configured.
This security issue allows any users with the Editor organizational role in Grafana with no access to the default data source to manipulate a dashboard with alerts and expose data from that restricted data source to any notification channel. Note that in order to exploit this, you would need to have alerting enabled and assign the Editor organizational role to users.
Affected versions with high severity
Grafana Enterprise 7.2.0 to 7.4.3
Solutions and mitigations
All installations between 7.2.0 and 7.4.3 should be upgraded as soon as possible. There is no good way to mitigate the vulnerability. If you can not upgrade, you should make sure that the default data source in each organization is safe for any member of the organization to query.
Remote access control bypass vulnerabilities (CVE-2021-28146, CVE-2021-28147)
On March 10, during an internal security audit, we discovered that on Grafana Enterprise instances using an external authentication service, Grafana Enterprise 7.4.0 introduced a mechanism that allows any authenticated user to use an HTTP API to add external groups to any existing team. Once a user from this external group logs in, the user is granted all permissions that the team has on dashboards and data sources. This vulnerability also allows any unauthenticated user/client that knows a team ID to list existing external groups related to that team. We have reserved CVE-2021-28146 for this issue.
As we continued an internal audit, on March 11, we discovered that Grafana Enterprise 6.1.0 introduced the same vulnerability as above, but only for Grafana instances that have the editorsCanAdmin feature enabled. We have reserved CVE-2021-28147 for this issue.
The vulnerabilities allow a user to grant themselves, or others, team permissions that they are not authorized to have.
Note that these vulnerabilities can only be triggered if you have defined at least one team with special permissions in Grafana, even if that team is unused.
Affected versions with high severity
Grafana Enterprise 7.4.0-beta1 to 7.4.4 are affected by the CVE-2021-28146 vulnerability.
Grafana Enterprise 6.1.0-beta1 to 7.4.4 are affected by the CVE-2021-28147 vulnerability.
Solutions and mitigations
All installations between 6.1.0-beta1 and 7.4.4 should be upgraded as soon as possible. There is no good way to mitigate the vulnerability. If you cannot upgrade and are on a version before 7.4.0, you should consider disabling the editorsCanAdmin feature; if you are on 7.4.x, you should consider temporarily not using teams in Grafana.
Remote unauthenticated denial of service vulnerability (CVE-2021-28148)
On March 11, during an internal security audit, we discovered that Grafana Enterprise 6.6.0 introduced a new HTTP API endpoint for usage insights, which lets any unauthenticated user send an unlimited number of requests to the endpoint. This allows for denial of service (DoS) attacks against Grafana Enterprise instances.
Affected versions with high severity
Grafana Enterprise 6.6.0-beta1 to 7.4.4
Solutions and mitigations
All installations between 6.6.0-beta1 and 7.4.4 should be upgraded as soon as possible. There is no good way to mitigate the vulnerability.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us, so please use our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a category on the community site called Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.
Conclusion
If you run a Grafana Enterprise instance between version 6.1.0-beta1 and 7.4.4, please upgrade to Grafana 6.7.6, 7.3.10, or 7.4.5 as soon as possible.
Affected Grafana Cloud instances have been already upgraded to the versions with the fixes. Grafana Enterprise customers have been provided with updated binaries ahead of this disclosure.
