Grafana Enterprise 8.5.3 and 7.5.16 released with moderate severity security fix
Today we are releasing Grafana Enterprise 8.5.3 and 7.5.16. These patch releases include a moderate severity security fix that affects Grafana Enterprise versions from v7.4.0-beta1 through v8.5.2.
Release v8.5.3, only containing a security fix:
Release v7.5.16, only containing a security fix:
SSRF - data source network restrictions bypass via HTTP redirects (CVE-2022-29170)
Summary
On May 2, during an internal security audit, we discovered a security vulnerability which impacts Grafana Enterprise instances that are using the request security feature.
Prerequisite
In order to reproduce the vulnerability in Grafana Enterprise, the following conditions must be met:
- Request security allow list feature is configured to use at least one
host_allow_listorhost_deny_list. - There is a possibility of adding a custom data source to Grafana which returns HTTP redirects.
Request security allow list allows users to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability allows users to bypass these security configurations if a malicious data source (running on an allowed host) returns an HTTP redirect to a forbidden host.
We have received CVE-2022-29170 for this issue. The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L) for Grafana Enterprise versions 7.4.0-beta1 to 8.5.2.
Grafana OSS as well as Grafana Cloud are not impacted by this vulnerability.
Affected versions with moderate severity
Grafana Enterprise 7.4.0-beta1 to 8.5.2
Solutions and mitigations
All Grafana Enterprise installations between v7.4.0-beta1 and v8.5.2 that meet the above mentioned conditions should be upgraded as soon as possible.
As always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. In alphabetical order, this is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-05-02 A potential Issue related to the request security feature in Grafana Enterprise has been reported internally
- 2022-05-02 12:33 Issue escalated and the vulnerability confirmed reproducible
- 2022-05-02 15:00 Decision is made to release a private patch
- 2022-05-02 15:21 CVE requested
- 2022-05-03 15:58 Private release planned for 2022-05-05, and public release planned for 2022-05-19
- 2022-05-05 12:00 Private release
- 2022-05-19 12:00 Public release
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can only accept vulnerability reports at this address.
Please encrypt your message to us, using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and we may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you have received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
