Grafana v9.0.3, v8.5.9, v8.4.10, and v8.3.10 released with high severity security fix
Today we are releasing Grafana 9.0.3, 8.5.9, 8.4.10, and 8.3.10. This patch release includes high severity security fixes for two vulnerabilities that affect Grafana v8.0 to v9.0.1 for CVE-2022-31097 and Grafana v.5.3 to v9.0.1 for CVE-2022-31107.
Release v9.0.3, latest patch, also containing security fixes:
Release v8.5.9, only containing security fixes:
Release v8.4.10, only containing security fixes:
Release v8.3.10, only containing security fixes:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.
Acknowledgements
We would like to thank Maxim Misharin (Stored XSS) and the HTTPVoid team (OAuth account takeover) for responsibly disclosing these vulnerabilities.
Stored XSS (CVE-2022-31097)
Summary of CVE-2022-31097
An external security researcher, Maxim Misharin, contacted Grafana Labs to disclose a stored XSS vulnerability in Grafana Alerting (previously referred to as Unified Alerting when it was introduced in Grafana 8.0). We believe that this vulnerability is rated at CVSS 7.3 (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Impacted versions
To be impacted, Grafana Alerting must be enabled. (Note: Grafana Alerting is activated by default in Grafana 9.0.)
Solutions and mitigations
All installations between Grafana v8.0 up to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by turning off Grafana Alerting.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-06-19 10:32 - Research submission of vulnerability report
- 2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised
- 2022-06-20 18:40 - Fix PR submitted and reviewed
- 2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched
- 2022-07-05 07:14 - Customers informed under embargo
- 2022-07-14 02:00 - Public release
OAuth Account Takeover (CVE-2022-31107)
Summary of CVE-2022-31107
The HTTPVoid team contacted Grafana Labs to disclose an OAuth account takeover vulnerability. We believe that this vulnerability is rated at CVSS 7.1 (CVSS:7.1:AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
Impacted versions
Grafana 5.3 - Grafana 9.0.1
How to reproduce
Make sure OAuth login is enabled.
- Create an attacker user in OAuth provider with a different email address than the targeted account but same username (or with the targeted account’s email as username).
- Log in using OAuth with the attacker user account.
- You should now be in possession of the targeted account in Grafana.
Solutions and mitigations
All installations between Grafana v5.3 to v9.0.1 should be upgraded as soon as possible. Mitigation is possible by disabling OAuth login.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-06-27 19:00 - Research submission of vulnerability report
- 2022-06-27 20:53 - Issue triaged, confirmed positive, and internal incident raised
- 2022-06-28 08:42 - Fix PR submitted and reviewed
- 2022-06-28 20:58 - All Grafana Cloud hosted Grafana instances patched
- 2022-07-05 07:14 - Customers informed under embargo
- 2022-07-14 02:00 - Public release
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.
Please encrypt your message to us, using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement. We will maintain contact and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced. If you reported it to any third parties, we request that you inform us immediately. If you wish, we will coordinate a public release date with you. Proper credit and acknowledgements will be given to you if you want.
We respect your work and we commit to follow responsible disclosure, a.k.a. coordinated vulnerability disclosure. We usually fix issues in a matter of days or weeks, staying well below the industry standard of 90 days.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.