Today we are releasing Grafana Enterprise 8.4.6. This patch release includes a high severity security fix that affects Grafana Enterprise versions from v8.1.0-beta1 through v8.4.5.
Release v8.4.6, only containing a security fix:
Privilege escalation (CVE-2022-24812)
On April 3, during an internal security audit, we discovered a security vulnerability impacting Grafana Enterprise instances which have the fine-grained access control beta feature enabled and have at least two API Keys with different roles.
This vulnerability allowed clients using the Grafana API Key for making requests to gain permissions of the previous requests, which could lead to an escalation of privileges, depending on the permissions of the previous request. We have received CVE-2022-24812 for this issue. The CVSS score for this vulnerability is 8.0 High (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) for Grafana Enterprise versions 8.1.0-beta1 to 8.4.5.
Grafana OSS is not impacted by the vulnerability.
Affected versions with high severity
Grafana Enterprise 8.1.0-beta1 to 8.4.5
Solutions and mitigations
All Grafana Enterprise installations between v8.1.0-beta1 and v8.4.5 that have fine-grained access control beta enabled should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.
All Grafana Cloud instances have already been patched with the fix.
As always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. In alphabetical order, this is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-04-03 13:02 A potential Issue related to fine-grained access control escalated internally
- 2022-04-03 12:07 Issue escalated and the vulnerability confirmed reproducible
- 2022-04-03 14:30 Decision is made to release a private patch
- 2022-04-04 09:06 CVE requested
- 2022-04-04 12:40 Private release planned for 2022-04-05, and public release planned for 2022-04-12
- 2022-04-04 12:40 GitHub has issued CVE-2022-24812
- 2022-04-05 12:00 Private release
- 2022-04-12 12:00 Public release
Reporting security issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.
Please encrypt your message to us; please use our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and we may ask for additional information or guidance.
Important: We ask you not to disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
We maintain a category on the Grafana community site called Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. We also have a security category on our blog.
You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.