Security release: New versions of Grafana and Grafana Image Renderer with a high severity security fix for CVE-2022-31176
Today we are releasing Grafana 9.1.2 and Grafana Image Renderer 3.6.1. Alongside other bug fixes, these two releases include a high severity security fix for CVE-2022-31176, which affects Grafana instances that are using the Grafana Image Renderer plugin.
We are also releasing security releases for Grafana 9.0.8, 8.5.11, 8.4.11 and 8.3.11 to fix this issue.
Release v9.1.2, latest patch also containing security fix:
Grafana Image Renderer release v3.6.1, also containing security fix:
Release v9.0.8, latest patch also containing security fix:
Release v8.5.11, only containing security fix:
Release v8.4.11, only containing security fix:
Release v8.3.11, only containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is also applicable to Amazon Managed Grafana.
Unauthorized file disclosure (CVE-2022-31176)
Summary of CVE-2022-31176
On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).
This vulnerability permits unauthorized file disclosure and is a potential DoS vector through targeting of extremely large files. The CVSS score for this vulnerability is 8.3 High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H) for Grafana instances using the Grafana Image Renderer plugin with HTTP remote rendering.
Impacted versions
All Grafana installations with the Grafana Image Renderer plugin used with HTTP remote rendering are affected by this vulnerability.
Solutions and mitigations
All Grafana installations and the Grafana Image Renderer plugin should be upgraded as soon as possible by following all the steps below. They are only required if you are using the Grafana Image Renderer plugin with HTTP remoting.
- Upgrade your Grafana instance.
- Upgrade your Grafana Image Renderer with the Docker image
grafana/grafana-image-renderer:3.6.1
. - In the rendering section of Grafana configuration file, define a strong secret in
renderer_token
. - Configure the same secret for the Image Renderer either via an environment variable called
AUTH_TOKEN
or by addingauth_token
config key in the[plugin.grafana-image-renderer]
section of Grafana config. - Restart your Grafana instance.
- Restart your Grafana Image Renderer Docker image.
If you can’t upgrade, as a workaround it is possible to disable HTTP remote rendering or stop using the Grafana Image Renderer plugin entirely.
Appropriate patches have been applied to Grafana Cloud.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue.
- 2022-07-21: Internal security researcher discovers the vulnerability and creates the initial report.
- 2022-07-21: The vulnerability is confirmed.
- 2022-07-22: Temporary mitigation is applied to Grafana Cloud.
- 2022-07-22: Root cause is determined and started working on a fix.
- 2022-08-11: Security fix determined and root cause mitigated.
- 2022-08-11: Release timeline determined: 2022-08-17 for private customer release, 2022-08-30 for public release.
- 2022-08-17: Private release.
- 2022-08-30: Public release.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.