Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

We cannot remember your choice unless you click the consent notice at the bottom.

Security release: New version of Synthetic Monitoring Agent with a high severity fix for CVE-2022-46156

Security release: New version of Synthetic Monitoring Agent with a high severity fix for CVE-2022-46156

2022-11-30 3 min

Today we are releasing version 0.12.0 of the Synthetic Monitoring Agent which contains a fix for CVE-2022-46156. This vulnerability was first patched in version 0.11.2, with further patches now available in version 0.12.0.

Network exposure of API token (CVE-2022-46156)

Summary

On Nov. 23, a Grafana community member reported a vulnerability regarding the exposure of the API token through a debug endpoint that was enabled by default for profiling purposes.

We proceeded to disable the debug endpoint in release v0.11.2. But further improvements have been implemented in the v0.12.0 release, specifically allowing the use of the environment (instead of the command line) to pass the API token as well as defaulting to listening on localhost instead of all interfaces for the HTTP server (which serves operational metrics as well as the debug endpoints). This vulnerability has a CVSS score of 7.2 High.

Impact

Users running the Synthetic Monitoring Agent in their local network are impacted. (Agents operated by Grafana Labs are not impacted as we take additional measures to ensure that the HTTP endpoint is not accessible outside our environment.) The authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already connected agents, so access to the token does not guarantee access to the checks.

The following changes have been made to address this issue:

  • Disable debug endpoint by default
  • Allow retrieving the token from the environment
  • Default to listening on localhost

Solutions and mitigations

Users are advised to upgrade to version 0.12.0 as soon as possible and to rotate the agent tokens.

After upgrading to version v0.12.0 or later, it’s recommended that users of distribution packages (e.g., Debian or RedHat and their derivatives) review the configuration stored in /etc/synthetic-monitoring/synthetic-monitoring-agent.conf, specifically the API_TOKEN variable which has been renamed to SM_AGENT_API_TOKEN.

As a workaround, for all previous versions of the Synthetic Monitoring Agent, it’s recommended that users review the agent settings and set the HTTP listening address in a manner that limits the exposure. For example, use localhost or a non-routed network by passing the command line parameter -listen-address (e.g., -listen-address localhost:4050.)

For more information

If you have any questions or comments about this advisory:

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed