We have recently released Grafana Image Renderer v3.8.3, which contains a fix for CVE-2023-4863. This vulnerability enables remote attackers to perform an out-of-bounds memory write via a crafted HTML page.
Grafana Image Renderer 3.8.3 with security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement.
Out-of-bounds memory write (CVE-2023-4863)
The Grafana Image Renderer service uses Chrome in the background to render dashboards. On September 11, Google released a new version of Chrome to fix an issue with the WebP library. Our Security team identified that the Image Renderer is vulnerable to this attack because it uses an affected version of Chrome for rendering Grafana dashboards. The fix for the Grafana Image Renderer vulnerability is available from Chrome version 116.0.5845.187 for Mac and Linux.
The CVSS score for this vulnerability is 8.8 High.
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. (Chromium security severity: Critical). As these are libraries that are included and used by Grafana Image Renderer, the project was vulnerable.
All installed versions of Grafana running the Grafana Image Renderer plugin with version equal or prior to v3.8.2.
Solution and mitigation
If your instance is vulnerable, we recommend that you upgrade Grafana Image Renderer to version 3.8.3 or higher.
Timeline and post-incident review
Here is a detailed timeline starting from when we originally introduced the issue. All times in UTC.
- 2023-09-28 10:01 UTC - Our security team was informed about a security issue in libwebp/chrome CVE-2023-5129. We opened an internal incident to investigate the exposure.
- 2023-09-29 12:43 UTC - A new version of Grafana Image Renderer (v3.8.3) was released, which contained the dependency update needed.
- 2023-09-29 12:48 UTC - Updated version of Grafana Image Renderer was deployed to Grafana Cloud.
- 2023-10-02 13:39 UTC - Our internal investigation showed that no customers of Grafana Cloud were impacted by this security issue.
- 2023-10-11 16:08 UTC - Our customers were notified of the new version and suggested to update to it.
- 2023-10-18 14:30 UTC - Public blog post to inform the community about the security update.
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.