OpenSSL have released details for CVE-2022-3786 and CVE-2022-3602 in OpenSSL v3.x with impact assessed by OpenSSL as HIGH. In response, Grafana Labs has reviewed our projects and products, and here is what we found.
How it affects Grafana binary releases, including Grafana Agent
The majority of Grafana Labs’ core software is written in Go and relies on Go’s built-in TLS implementation. This implementation is independent of OpenSSL and does not contain the same vulnerabilities. As such, the binary releases of Grafana, Grafana Agent, Grafana Tempo, Grafana Loki, and Grafana Mimir are not impacted by these OpenSSL CVEs.
How it affects Grafana Cloud
In Grafana Cloud, we rely upon Cloud providers and off-the-shelf software rather than implementing SSL/TLS within our own software. We have confirmed that our Cloud platforms are protected by non-impacted or appropriately patched SSL/TLS implementations.
How it affects containerized releases (Grafana Agent, Grafana Enterprise, and containerized OSS packages)
In many cases, we also offer containerized releases of our software. These releases may contain vulnerable versions of OpenSSL, but we do not have any evidence to indicate that they are vulnerable to remote code execution as a result of these vulnerabilities. We will release updated versions imminently.
All Grafana Labs packages containing potentially vulnerable OpenSSL dependencies will be patched and new releases will be made public as upstream patches become available.
Reporting security issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.