Blog  /  Engineering

Grafana v9.0.3, v8.5.9, v8.4.10, and v8.3.10 released with high severity security fix

July 14, 2022 5 min

Today we are releasing Grafana 9.0.3, 8.5.9, 8.4.10, and 8.3.10. This patch release includes high severity security fixes for two vulnerabilities that affect Grafana v8.0 to v9.0.1 for CVE-2022-31097 and Grafana v.5.3 to v9.0.1 for CVE-2022-31107.

Release v9.0.3, latest patch, also containing security fixes:

Release v8.5.9, only containing security fixes:

Release v8.4.10, only containing security fixes:

Release v8.3.10, only containing security fixes:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.

Acknowledgements

We would like to thank Maxim Misharin (Stored XSS) and the HTTPVoid team (OAuth account takeover) for responsibly disclosing these vulnerabilities.

Stored XSS (CVE-2022-31097)

Summary of CVE-2022-31097

An external security researcher, Maxim Misharin, contacted Grafana Labs to disclose a stored XSS vulnerability in Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). We believe that this vulnerability is rated at CVSS 7.3 (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Impacted versions

To be impacted, Grafana Alerting must be enabled. (Note: Grafana Alerting is activated by default in Grafana 9.0.)

How to reproduce

Make sure Grafana Alerting (previously referred to as Unified Alerting) is activated.

  1. Using an account in which the user has Editor permissions, click on Alerting and then Alert rules.
  2. Create a new alert rule by clicking the New alert rule button.
  3. In section 1, go to Set a query and alert condition.
    • In step A, choose any existing data source.
  4. In section 3, go to Add details for your alert
    • Provide a rule name, a folder, and a group name.
    • Fill in Runbook URL with this content: javascript:alert("xss").
    • Save the new alert rule.
  5. Check that your new alert rule appears when clicking on Alerting > Alert rules > then go to the folder name you created for the alert rule.
  6. Expand the rule details by clicking on the > icon. 
  7. Click View runbook.
  8. A popup should appear containing text xss.

Solutions and mitigations

All installations between Grafana v8.0 up to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by turning off Grafana Alerting.

Timeline

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

  • 2022-06-19 10:32 - Research submission of vulnerability report
  • 2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised
  • 2022-06-20 18:40 - Fix PR submitted and reviewed
  • 2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched
  • 2022-07-05 07:14 - Customers informed under embargo
  • 2022-07-14 02:00 - Public release

OAuth Account Takeover (CVE-2022-31107)

Summary of CVE-2022-31107

The HTTPVoid team contacted Grafana Labs to disclose an OAuth account takeover vulnerability. We believe that this vulnerability is rated at CVSS 7.1 (CVSS:7.1:AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)

Impacted versions

Grafana 5.3 - Grafana 9.0.1

How to reproduce

Make sure OAuth login is enabled.

  1. Create an attacker user in OAuth provider with a different email address than the targeted account but same username (or with the targeted account’s email as username).
  2. Log in using OAuth with the attacker user account.
  3. You should now be in possession of the targeted account in Grafana.

Solutions and mitigations

All installations between Grafana v5.3 to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by disabling OAuth login.

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

  • 2022-06-27 19:00 - Research submission of vulnerability report
  • 2022-06-27 20:53 - Issue triaged, confirmed positive, and internal incident raised
  • 2022-06-28 08:42 - Fix PR submitted and reviewed
  • 2022-06-28 20:58 - All Grafana Cloud hosted Grafana instances patched
  • 2022-07-05 07:14 - Customers informed under embargo
  • 2022-07-14 02:00 - Public release

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.

Please encrypt your message to us, using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement. We will maintain contact and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced. If you reported it to any third parties, we request that you inform us immediately. If you wish, we will coordinate a public release date with you. Proper credit and acknowledgements will be given to you if you want.

We respect your work and we commit to follow responsible disclosure, a.k.a. coordinated vulnerability disclosure. We usually fix issues in a matter of days or weeks, staying well below the industry standard of 90 days.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.