Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

We cannot remember your choice unless you click the consent notice at the bottom.

Grafana security release: Critical severity fix for CVE-2024-9264

Grafana security release: Critical severity fix for CVE-2024-9264

2024-10-17 4 min

Today we rolled out patch releases for Grafana 11.0.x, 11.1.x, and 11.2.x that contain a fix for CVE-2024-9264, a critical severity security vulnerability in Grafana that introduced command injection and local file inclusion (LFI) via SQL expressions. Grafana 10.x is not affected by this vulnerability.

Note: Out of an abundance of caution, we are releasing two sets of security patches that contain the fix for this vulnerability.

For users who only want the security fix, please upgrade to one of the following versions:

Release 11.0.5+security-01

Release 11.1.6+security-01

Release 11.2.1+security-01

For users who want to upgrade to the most recent version of Grafana (which was released on Oct. 1) as well as the security fix, please upgrade to one of the following versions:

Release 11.0.6+security-01

Release 11.1.7+security-01

Release 11.2.2+security-01

Command injection and local file inclusion via SQL Expressions (CVE-2024-9264)

Summary

A Grafana Labs engineer discovered a RCE (Remote Code Execution) vulnerability that was introduced in Grafana 11. The vulnerability was in an experimental feature named SQL Expressions that allows for data source query output to be post-processed by executing one or more SQL queries. It does this by passing the query and data to the DuckDB CLI, which executes the SQL against the DataFrame data. These SQL queries were not sanitized completely, leading to a command injection and local file inclusion vulnerability.

Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API. However, to be exploitable, the DuckDB binary must be accessible through the PATH of the Grafana process’ environment. The DuckDB binary is not packaged with Grafana by default, so to be exploitable, the system must have DuckDB installed and included in Grafana’s PATH. If DuckDB is not present, the system is not vulnerable.

The CVSS v3.1 score for this vulnerability is 9.9 Critical.

Appropriate patches have been applied to Grafana Cloud. As always, we also closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Impact

The vulnerability could be used to access any file on the host machine, including any unencrypted passwords within those files. Any Grafana user who has Viewer permissions or higher is capable of executing this attack.

Solutions and mitigations

If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions of Grafana as soon as possible.

As a mitigation, remove the duckdb binary from PATH, or remove it entirely from the system. No other Grafana feature requires it, and the binary is not present in normal distributions.

Impacted versions

Grafana >= v11.0.0 (all v11.x.y are impacted)

Timeline and post-incident review

All times are in UTC

  • 2024-02-27 - PR merged, adding SQL Expressions to Grafana.
  • 2024-09-26 15:54 - Vulnerability discovered by internal staff.
  • 2024-09-26 18:34 - Grafana engineer confirms the API is vulnerable to LFI.
  • 2024-09-26 19:39 - Grafana engineer spots RCE is also likely based on functionality available in DuckDB.
  • 2024-09-26 20:10 - Vulnerability classified as 9.9.
  • 2024-09-27 13:03 - Rolling releases of the security patch complete across all channels for Grafana Cloud.
  • 2024-09-27 15:04 - Decision made to completely remove SQL Expressions functionality from Grafana OSS & Grafana Enterprise for a security release.
  • 2024-09-30 02:12 - All security patches written and merged removing SQL Expressions feature.
  • 2024-10-01 13:58 - Feature toggle disabled for the nine prod instances that had been enabled. Feature is now disabled across all instances in Grafana Cloud.
  • 2024-10-02 20:57 - All artifacts built and verified.
  • 2024-10-03 08:00 - Private release.
  • 2024-10-18 02:18 - Public release.
  • 2024-10-18 03:00 - Blog published.

Reporting security issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.