Grafana Enterprise 8.5.3 and 7.5.16 released with moderate severity security fix
Today we are releasing Grafana Enterprise 8.5.3 and 7.5.16. These patch releases include a moderate severity security fix that affects Grafana Enterprise versions from v7.4.0-beta1 through v8.5.2.
Release v8.5.3, only containing a security fix:
Release v7.5.16, only containing a security fix:
SSRF - data source network restrictions bypass via HTTP redirects (CVE-2022-29170)
Summary
On May 2, during an internal security audit, we discovered a security vulnerability which impacts Grafana Enterprise instances that are using the request security feature.
Prerequisite
In order to reproduce the vulnerability in Grafana Enterprise, the following conditions must be met:
- Request security allow list feature is configured to use at least one
host_allow_listorhost_deny_list. - There is a possibility of adding a custom data source to Grafana which returns HTTP redirects.
Request security allow list allows users to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability allows users to bypass these security configurations if a malicious data source (running on an allowed host) returns an HTTP redirect to a forbidden host.
We have received CVE-2022-29170 for this issue. The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L) for Grafana Enterprise versions 7.4.0-beta1 to 8.5.2.
Grafana OSS as well as Grafana Cloud are not impacted by this vulnerability.
Affected versions with moderate severity
Grafana Enterprise 7.4.0-beta1 to 8.5.2
Solutions and mitigations
All Grafana Enterprise installations between v7.4.0-beta1 and v8.5.2 that meet the above mentioned conditions should be upgraded as soon as possible.
As always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. In alphabetical order, this is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-05-02 A potential Issue related to the request security feature in Grafana Enterprise has been reported internally
- 2022-05-02 12:33 Issue escalated and the vulnerability confirmed reproducible
- 2022-05-02 15:00 Decision is made to release a private patch
- 2022-05-02 15:21 CVE requested
- 2022-05-03 15:58 Private release planned for 2022-05-05, and public release planned for 2022-05-19
- 2022-05-05 12:00 Private release
- 2022-05-19 12:00 Public release
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
