Grafana v9.0.3, v8.5.9, v8.4.10, and v8.3.10 released with high severity security fix
Today we are releasing Grafana 9.0.3, 8.5.9, 8.4.10, and 8.3.10. This patch release includes high severity security fixes for two vulnerabilities that affect Grafana v8.0 to v9.0.1 for CVE-2022-31097 and Grafana v.5.3 to v9.0.1 for CVE-2022-31107.
Release v9.0.3, latest patch, also containing security fixes:
Release v8.5.9, only containing security fixes:
Release v8.4.10, only containing security fixes:
Release v8.3.10, only containing security fixes:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.
Acknowledgements
We would like to thank Maxim Misharin (Stored XSS) and the HTTPVoid team (OAuth account takeover) for responsibly disclosing these vulnerabilities.
Stored XSS (CVE-2022-31097)
Summary of CVE-2022-31097
An external security researcher, Maxim Misharin, contacted Grafana Labs to disclose a stored XSS vulnerability in Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). We believe that this vulnerability is rated at CVSS 7.3 (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Impacted versions
To be impacted, Grafana Alerting must be enabled. (Note: Grafana Alerting is activated by default in Grafana 9.0.)
Solutions and mitigations
All installations between Grafana v8.0 up to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by turning off Grafana Alerting.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-06-19 10:32 - Research submission of vulnerability report
- 2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised
- 2022-06-20 18:40 - Fix PR submitted and reviewed
- 2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched
- 2022-07-05 07:14 - Customers informed under embargo
- 2022-07-14 02:00 - Public release
OAuth Account Takeover (CVE-2022-31107)
Summary of CVE-2022-31107
The HTTPVoid team contacted Grafana Labs to disclose an OAuth account takeover vulnerability. We believe that this vulnerability is rated at CVSS 7.1 (CVSS:7.1:AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
Impacted versions
Grafana 5.3 - Grafana 9.0.1
How to reproduce
Make sure OAuth login is enabled.
- Create an attacker user in OAuth provider with a different email address than the targeted account but same username (or with the targeted account’s email as username).
- Log in using OAuth with the attacker user account.
- You should now be in possession of the targeted account in Grafana.
Solutions and mitigations
All installations between Grafana v5.3 to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by disabling OAuth login.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-06-27 19:00 - Research submission of vulnerability report
- 2022-06-27 20:53 - Issue triaged, confirmed positive, and internal incident raised
- 2022-06-28 08:42 - Fix PR submitted and reviewed
- 2022-06-28 20:58 - All Grafana Cloud hosted Grafana instances patched
- 2022-07-05 07:14 - Customers informed under embargo
- 2022-07-14 02:00 - Public release
Reporting security issues
If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
