ESB-2019.0048 - [RedHat] grafana: Unauthorised access - Remote/unauthenticated - 2019-01-04


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0048
               Moderate: grafana security and bug fix update
                              4 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           grafana
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-15727  

Reference:         ESB-2018.3897
                   ESB-2018.2608

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:0019

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: grafana security and bug fix update
Advisory ID:       RHSA-2019:0019-01
Product:           Red Hat Ceph Storage
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0019
Issue date:        2019-01-03
CVE Names:         CVE-2018-15727 
=====================================================================

1. Summary:

The updated grafana package is now available for Red Hat Ceph Storage 3.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Ceph Storage 3.2 Tools - x86_64

3. Description:

The grafana package provides the Grafana metrics dashboard and graph
editor.

Security Fix(es):

* grafana: authentication bypass knowing only a username of an LDAP or
OAuth user (CVE-2018-15727)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Bug Fix(es):

* The grafana package has been upgraded to upstream version 5.2.4., which
includes a number of bug fixes (BZ#1647494)

* Shrinking the cluster size no longer causes the Red Hat Ceph Storage
Dashboard to display the error message Templating init failed (BZ#1653273)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1624088 - CVE-2018-15727 grafana: authentication bypass  knowing only a username of an LDAP or OAuth user
1633825 - Add ceph FS support in ceph metrics
1647494 - Update grafana to latest for security fixes
1647496 - Remove golang dependency from grafana
1652427 - [ceph-metrics]Change password is not working
1653273 - Metrics dashboard is throwing "Templating init failed" error after rerunning metrics playbook

6. Package List:

Red Hat Ceph Storage 3.2 Tools:

Source:
grafana-5.2.4-1.el7cp.src.rpm

x86_64:
grafana-5.2.4-1.el7cp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-15727
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXC5KJdzjgjWX9erEAQgxMxAAiFfYtrxvJlnPJiTV9TeKNe+Mf20OVHJJ
4v8RwDawhocT+U6qmvAyATlLIi38mrBT2JX9K+RQVXOCR+lr/0umkyU9qVizSoCQ
9zlKBfdCdw0Ot4zcRYO+pHw9eOjL1JzsxGBAPuU6i9qkN0SBi/BkxT/tXJ0vlqjR
N9p6nYfyoA7UDmfLtppGfqu87lZkLXYKICf+2By6XJ48a510oOTRTxvxAQV+2cGn
3oXZroZk+MEgNFggz4Vq9tA2evpNzmOqicub2LBnruD2BKlp14kAbsHWtfVCbNXp
GeWwsFGfVleY4ww3v8pW357lWDVsMMtyHDgGxFQAv1e+aHE3aCDj3z+R4iwUczeM
DohgkyMz5oyfiIJCigV9mzyYAlPN/JCJJyxJlp0/2hOR2lyWeeoGych5Ih3NnBkV
tlS5RdHNQfNKgoYX+xNoyT//A4SctpcknLZckN8TgNCAk4sjoN9b2jyGObB1xXaZ
O5m3dF7zgWZO92T4SchklueiVk1Wj1GcMxb9dTApQrTBLPVwkOJpOoRD2goXkAhE
S3SYYRU1KdJjO6lpG55oR52P42v7HG8b26KNwiqBBMtTaMepjQ8LUcG8d56e8yV2
nQhqlxDMuBgEacr5awuXy4iHmlTyNx06CqlHMLpBoz/UCqULK1A9F8HeBr/Orpm6
tvGLVZbg0yo=
=hmTs
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXC6g0GaOgq3Tt24GAQhRaA/8DK0GOJFc+WfmY9dSicck47oc2ZW10BHr
l8gge6cDCzP0vt+VxLTtyirmCkFjxboraV7GBAhJOccNUcRFBnbtcYc8UQ8FJcbP
thC1W2FU4jFMtOQbNVn0PF/AUoN8bx/d3VzynKMNtB6NtvBtVWARn2AVzwqvfe8D
ETg1EKFE3WO0a/ABV22gH//drahAieW8eo18LWw8pGm8SwToZJ8s9ljkbvCel7Ky
1t6hNQLFM51IM5u8usUrkEtxQjg2Ayxw9M7cSA/rBgsxmXjpGHH/DQ5iEw8zXj/k
uh8KVw+nWfTMWLMmGl31OnPT2u3LuOIJpm/1df+t5eMMuK+WdPU8OgwCb6MhQqXP
9WsJT2AaiKlJBkjRCPn6X1y1pezII/kPclC3EM2CkRMOteKshWHiHSpmz7FBRRh9
zJBobwLlOMwTgn5brz8kO8pEdOdINfnnbfNPw6F+Ovl4itggrk1ltc/p2Ft9Fzrk
QSGCFfz3zewK0kt1g4JYZZdqHK+aDe9eXjV2u0KzkzFBW9KEEIPwRL8kYqWvSOO3
EjImPJ/VVwC/gsUPTSXMUHfMuZJ500ScLFfv/Z9OMUAAHydY0A80JR+VjuAZdp57
HdJNIkhLV+2uZu+xXeBwoR1+xIm4iSVInuliDKG2OpEHlzC4tU/H0N8aeSSFdIVx
Y2RR28PdN+k=
=kY1/
-----END PGP SIGNATURE-----