Operating System:

[RedHat]

Published:

16 November 2022

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2022.5893 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5893
             grafana security, bug fix, and enhancement update
                             16 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           grafana
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-32148 CVE-2022-31107 CVE-2022-30635
                   CVE-2022-30633 CVE-2022-30632 CVE-2022-30631
                   CVE-2022-30630 CVE-2022-28131 CVE-2022-21713
                   CVE-2022-21703 CVE-2022-21702 CVE-2022-21698
                   CVE-2022-21673 CVE-2022-1962 CVE-2022-1705
                   CVE-2021-23648  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:8057

Comment: CVSS (Max):  7.5 CVE-2022-30635 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: grafana security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:8057-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8057
Issue date:        2022-11-15
CVE Names:         CVE-2021-23648 CVE-2022-1705 CVE-2022-1962 
                   CVE-2022-21673 CVE-2022-21698 CVE-2022-21702 
                   CVE-2022-21703 CVE-2022-21713 CVE-2022-28131 
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 
=====================================================================

1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor
for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version:
grafana (7.5.15). (BZ#2055349)

Security Fix(es):

* sanitize-url: XSS due to improper sanitization in sanitizeUrl function
(CVE-2021-23648)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* grafana: Forward OAuth Identity Token can allow users to access some data
sources (CVE-2022-21673)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

* grafana: XSS vulnerability in data source handling (CVE-2022-21702)

* grafana: CSRF vulnerability can lead to privilege escalation
(CVE-2022-21703)

* grafana: IDOR vulnerability can lead to information disclosure
(CVE-2022-21713)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2050648 - CVE-2022-21702 grafana: XSS vulnerability in data source handling
2050742 - CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
2050743 - CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
2055349 - Rebase of Grafana in RHEL 9.1
2065290 - CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function
2104367 - CVE-2022-31107 grafana: OAuth account takeover
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
grafana-7.5.15-3.el9.src.rpm

aarch64:
grafana-7.5.15-3.el9.aarch64.rpm
grafana-debuginfo-7.5.15-3.el9.aarch64.rpm

ppc64le:
grafana-7.5.15-3.el9.ppc64le.rpm
grafana-debuginfo-7.5.15-3.el9.ppc64le.rpm

s390x:
grafana-7.5.15-3.el9.s390x.rpm
grafana-debuginfo-7.5.15-3.el9.s390x.rpm

x86_64:
grafana-7.5.15-3.el9.x86_64.rpm
grafana-debuginfo-7.5.15-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-23648
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-21673
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-21702
https://access.redhat.com/security/cve/CVE-2022-21703
https://access.redhat.com/security/cve/CVE-2022-21713
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3OMc9zjgjWX9erEAQi0HA/8Cyww+6XfCKlKLVfnpNcj1p0tXUTvcjnS
OnnlUiQjXS44wBO73RbGWZL0FSZf3kjIEmzm20Tq6NZJ1K3Krw709BLd6ijx/uDi
QoROhHbujrLa52FUEl5pQspiE8gtLRX/DfxtV8dQcCsDD5ocUarOoT661wFoxipy
SsV9AZLw971eoGgYEeB7iD9pgnUZqATMqf75bLxMgBd8RgHT7VkheOckS+ThJrTy
UhVXyORoLaMvbFdvcLn/U3B+ocRiEvEICQ3yFW7GkvElMEawQr1f7TSHSqAiGB3G
IYiAV13YsatkPes+VQFiHBxKLkXuCPUJn1V0zovrfQI96gEGWsm4k9p6DogweNyK
jQ67cjLzkBKYQoLI77NhV19dsvMjct4bQWMiVSVkdWRNECAXFyxIdndR/DalEydm
GDXzyk8CLWRXm5l/149RhOfbIoVPqe9b/lzMZGF/TGvi/Fl+m3hPXSB0STgiCXSD
0bNAscp6a+GEf+m4J+rf/fjePuSjYU4noUiWzL7mkZs9v/W7JGz67+h8SPRIVnH6
65rurVnpCVgie5ObFV2WKCmkCL1q1yBTwSVIfaRL60c+Za8eRZzjA9+t+3A2mbBs
l3oUVRAea2zLk3qXmaLbT/vAA49MClAd4IQw8OOAy1Zs2B8Yg/CyclKvgXnGcMCM
cIsuNoeU9+M=
=CKDa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3Q2/ckNZI30y1K9AQhOChAAn+gEZc8zX2Bbkj11x8rwsDnUQavcTd/x
pn4rITTa5pdyqZPtykbl2UqEASrwQ7NxHnF2+0YMr340NIJnT6IPQAoV0xGRJlYD
pGixsXHRlzAYoR/Zl+jcgxGW+EMFs3oYjjtjsbDmIslVp//fEXD6RoZJGQqzKEz3
8Ni3hpjUJiJIHpEluwD8cFmoZmW/llI1qcKr7t1Yss27XejMvUuXw0dJA7ZcfFGf
SJnizvFo8fJ95hcr82pyvEUCpORo4sBfSjlZ5QZ4rOShtlW/aWko/6fHE08jXNbX
FhNIb4as8feZ1xvawTRdeD373E5h0B1GAb3+ttIp1cH7Nv8A2WMbUiZl7JxL7CTX
ZO96VLQcLfZqQewb4vbJSLkH5RNSmMagYkcBJfTFlkRcxB/p63Xoc52EEH9OP1XS
BwnzcVPUfv0+QGrv/74POLG6bTQKrE9AJcxQWIHAv5pfuMkdSFyN7P9ENljvRMg/
C5vziVlRmXt9UpUfUfb8IPMpinMJo8U2XRyFxXV1w6JkArtZ/UeyGCdTlmchLNjP
526VCC+JHom1NWzydmU/8sF6znGCSLm6cLkfJLwcBLHPEYIwJPB04gbSLnqXKYeM
a3B+orgnXSkSmXo8JEIJIiScQFEFIBg27oeGNcmlQl54TxCbPGF9qnuDNDIvPied
2tT+gpL0X+U=
=bz+D
-----END PGP SIGNATURE-----