Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3383 grafana security update 13 October 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: grafana Publisher: Red Hat Operating System: Red Hat Windows macOS Linux variants Impact/Access: Delete Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-39226 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3771 https://access.redhat.com/errata/RHSA-2021:3770 https://access.redhat.com/errata/RHSA-2021:3769 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running grafana check for an updated version of the software for their operating system. This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: grafana security update Advisory ID: RHSA-2021:3771-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3771 Issue date: 2021-10-12 CVE Names: CVE-2021-39226 ===================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * grafana: Snapshot authentication bypass (CVE-2021-39226) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: grafana-7.3.6-3.el8_4.src.rpm aarch64: grafana-7.3.6-3.el8_4.aarch64.rpm grafana-debuginfo-7.3.6-3.el8_4.aarch64.rpm ppc64le: grafana-7.3.6-3.el8_4.ppc64le.rpm grafana-debuginfo-7.3.6-3.el8_4.ppc64le.rpm s390x: grafana-7.3.6-3.el8_4.s390x.rpm grafana-debuginfo-7.3.6-3.el8_4.s390x.rpm x86_64: grafana-7.3.6-3.el8_4.x86_64.rpm grafana-debuginfo-7.3.6-3.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-39226 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYWVpw9zjgjWX9erEAQildxAAmaVEFXdkzYomlLB0jP2tcA0wgItygxeE 4LSaK9PPixxQYF2L1olMNwRlQHc4+n9pzOfnhrSI0D/uEixIEj2WFaPC73EWLIqy jtv9igQUZERTvTkJAxOv65ytMdmsOaFUI4XVwSssbgXFQV5AX4YueIkEdVKAbZdT jNDJ26mr0FNapldr+8uHGZyhpE5JYs8W7ElHy7pFRC+dOYMzCE5GEzB1wYWVjON1 NVia6g/hx3EMnJPq0m/rJyMxxSl13yd0Qqy+LFeObkP3qGDuYC0uZ8bdJLhlYmmf tRZLA2tx6Q7MRjh7eD77epULnad5KrYNaEbIxHIBL41jdI+4DQFUSHA9uKqSWIop PVMwlKHxx8fRMjZCKOF5Mrx2qibrgeoGwroNJc3blQtzSj17+BqzT4IGbn5qS9OF yXPl6s+Yzoihd+luhjXW0SckY1x9hYOfDlkRK8xdRmcjWbK0sGr3xY3SEAlJ9xUH NsxBc9Ved1mQPqKw9LmGII+nxZQBovlojxzrS7bJzNVRXMrL33K+y+4Tlwsa3Fgg Sf6B+7+en0fW/Kp3R0y1U9JzE0DK6r6hx5+IkISNqiMVqpj61XQsyvsJjm+t8gpX UHmxcyNtnFyFY0gdJSHHKyErr4Dto6oRlqtOslGmeBecQqt01+Xex68BeMyBo88O gyepC07N/Vo= =iU5n - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: grafana security update Advisory ID: RHSA-2021:3770-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3770 Issue date: 2021-10-12 CVE Names: CVE-2021-39226 ===================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * grafana: Snapshot authentication bypass (CVE-2021-39226) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.2): Source: grafana-6.3.6-3.el8_2.src.rpm aarch64: grafana-6.3.6-3.el8_2.aarch64.rpm grafana-azure-monitor-6.3.6-3.el8_2.aarch64.rpm grafana-cloudwatch-6.3.6-3.el8_2.aarch64.rpm grafana-debuginfo-6.3.6-3.el8_2.aarch64.rpm grafana-elasticsearch-6.3.6-3.el8_2.aarch64.rpm grafana-graphite-6.3.6-3.el8_2.aarch64.rpm grafana-influxdb-6.3.6-3.el8_2.aarch64.rpm grafana-loki-6.3.6-3.el8_2.aarch64.rpm grafana-mssql-6.3.6-3.el8_2.aarch64.rpm grafana-mysql-6.3.6-3.el8_2.aarch64.rpm grafana-opentsdb-6.3.6-3.el8_2.aarch64.rpm grafana-postgres-6.3.6-3.el8_2.aarch64.rpm grafana-prometheus-6.3.6-3.el8_2.aarch64.rpm grafana-stackdriver-6.3.6-3.el8_2.aarch64.rpm ppc64le: grafana-6.3.6-3.el8_2.ppc64le.rpm grafana-azure-monitor-6.3.6-3.el8_2.ppc64le.rpm grafana-cloudwatch-6.3.6-3.el8_2.ppc64le.rpm grafana-debuginfo-6.3.6-3.el8_2.ppc64le.rpm grafana-elasticsearch-6.3.6-3.el8_2.ppc64le.rpm grafana-graphite-6.3.6-3.el8_2.ppc64le.rpm grafana-influxdb-6.3.6-3.el8_2.ppc64le.rpm grafana-loki-6.3.6-3.el8_2.ppc64le.rpm grafana-mssql-6.3.6-3.el8_2.ppc64le.rpm grafana-mysql-6.3.6-3.el8_2.ppc64le.rpm grafana-opentsdb-6.3.6-3.el8_2.ppc64le.rpm grafana-postgres-6.3.6-3.el8_2.ppc64le.rpm grafana-prometheus-6.3.6-3.el8_2.ppc64le.rpm grafana-stackdriver-6.3.6-3.el8_2.ppc64le.rpm s390x: grafana-6.3.6-3.el8_2.s390x.rpm grafana-azure-monitor-6.3.6-3.el8_2.s390x.rpm grafana-cloudwatch-6.3.6-3.el8_2.s390x.rpm grafana-debuginfo-6.3.6-3.el8_2.s390x.rpm grafana-elasticsearch-6.3.6-3.el8_2.s390x.rpm grafana-graphite-6.3.6-3.el8_2.s390x.rpm grafana-influxdb-6.3.6-3.el8_2.s390x.rpm grafana-loki-6.3.6-3.el8_2.s390x.rpm grafana-mssql-6.3.6-3.el8_2.s390x.rpm grafana-mysql-6.3.6-3.el8_2.s390x.rpm grafana-opentsdb-6.3.6-3.el8_2.s390x.rpm grafana-postgres-6.3.6-3.el8_2.s390x.rpm grafana-prometheus-6.3.6-3.el8_2.s390x.rpm grafana-stackdriver-6.3.6-3.el8_2.s390x.rpm x86_64: grafana-6.3.6-3.el8_2.x86_64.rpm grafana-azure-monitor-6.3.6-3.el8_2.x86_64.rpm grafana-cloudwatch-6.3.6-3.el8_2.x86_64.rpm grafana-debuginfo-6.3.6-3.el8_2.x86_64.rpm grafana-elasticsearch-6.3.6-3.el8_2.x86_64.rpm grafana-graphite-6.3.6-3.el8_2.x86_64.rpm grafana-influxdb-6.3.6-3.el8_2.x86_64.rpm grafana-loki-6.3.6-3.el8_2.x86_64.rpm grafana-mssql-6.3.6-3.el8_2.x86_64.rpm grafana-mysql-6.3.6-3.el8_2.x86_64.rpm grafana-opentsdb-6.3.6-3.el8_2.x86_64.rpm grafana-postgres-6.3.6-3.el8_2.x86_64.rpm grafana-prometheus-6.3.6-3.el8_2.x86_64.rpm grafana-stackdriver-6.3.6-3.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-39226 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYWVn4tzjgjWX9erEAQhfFg/+K6whZOQwhfGwLf0Nk42dHhVfcdkKRSZa z3KHM4mFL4zSdIeJMOm8ThyzTh528eJqDC5v+/ucVA04EFP6joEAPHdsgkAdXBPD PZX1MJfWlxETy7ySvvC9QCF+AGH/GxaAutUvaeyNB10eMPVdjbwUFYSvsh8a0GFx jV6ffp4oBASubPW3S4GHPJczE8fyoI0vMDLbo/gLFrxQRaeigfYQMWAlh45r6rir GwvnyyEbE4xh1v76kXuaXomWHSskBMhb1z8kveh64scUonK/+0F0m0Gfx2NlTL8f WHiY0MopEv19CZ8xXZjcJhsyqSdvV3eAqNRpv2a5mndLcKiLkqxQvX+zrLbvG1mo l864RiKQezOGzcAcc8rbNeT0EsS0P/c1+MkE9HH/OarSY5BROs1jnZCb9Q9czLes IsCbBosrbKyt5HK+SJfy4OsxqRa5ArlS1O1u01Jec87Ys2pOjJGFb3bmg71o+WxQ ozzqqSbqUrxd6iI5o4sQHJwuwNAvOMBJgS9amQyp44NLrExILPiX7U8sd+S+vZNO OJ0RSVPUuu4q7PqUuPbfPyWXeuErxc6K5AMWE6oFnDt+TcITfl3s+oy9LVDV3qvd d5b47d+ZqIaLK4P0khqO85Wx25mjnhcDSB40QqWOv9HnJnK0bNYWdnF5mqow+JPo EzD6WeQTiiE= =AdtJ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: grafana security update Advisory ID: RHSA-2021:3769-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3769 Issue date: 2021-10-12 CVE Names: CVE-2021-39226 ===================================================================== 1. Summary: An update for grafana is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fix(es): * grafana: Snapshot authentication bypass (CVE-2021-39226) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: grafana-6.2.2-7.el8_1.src.rpm aarch64: grafana-6.2.2-7.el8_1.aarch64.rpm grafana-azure-monitor-6.2.2-7.el8_1.aarch64.rpm grafana-cloudwatch-6.2.2-7.el8_1.aarch64.rpm grafana-debuginfo-6.2.2-7.el8_1.aarch64.rpm grafana-elasticsearch-6.2.2-7.el8_1.aarch64.rpm grafana-graphite-6.2.2-7.el8_1.aarch64.rpm grafana-influxdb-6.2.2-7.el8_1.aarch64.rpm grafana-loki-6.2.2-7.el8_1.aarch64.rpm grafana-mssql-6.2.2-7.el8_1.aarch64.rpm grafana-mysql-6.2.2-7.el8_1.aarch64.rpm grafana-opentsdb-6.2.2-7.el8_1.aarch64.rpm grafana-postgres-6.2.2-7.el8_1.aarch64.rpm grafana-prometheus-6.2.2-7.el8_1.aarch64.rpm grafana-stackdriver-6.2.2-7.el8_1.aarch64.rpm ppc64le: grafana-6.2.2-7.el8_1.ppc64le.rpm grafana-azure-monitor-6.2.2-7.el8_1.ppc64le.rpm grafana-cloudwatch-6.2.2-7.el8_1.ppc64le.rpm grafana-debuginfo-6.2.2-7.el8_1.ppc64le.rpm grafana-elasticsearch-6.2.2-7.el8_1.ppc64le.rpm grafana-graphite-6.2.2-7.el8_1.ppc64le.rpm grafana-influxdb-6.2.2-7.el8_1.ppc64le.rpm grafana-loki-6.2.2-7.el8_1.ppc64le.rpm grafana-mssql-6.2.2-7.el8_1.ppc64le.rpm grafana-mysql-6.2.2-7.el8_1.ppc64le.rpm grafana-opentsdb-6.2.2-7.el8_1.ppc64le.rpm grafana-postgres-6.2.2-7.el8_1.ppc64le.rpm grafana-prometheus-6.2.2-7.el8_1.ppc64le.rpm grafana-stackdriver-6.2.2-7.el8_1.ppc64le.rpm s390x: grafana-6.2.2-7.el8_1.s390x.rpm grafana-azure-monitor-6.2.2-7.el8_1.s390x.rpm grafana-cloudwatch-6.2.2-7.el8_1.s390x.rpm grafana-debuginfo-6.2.2-7.el8_1.s390x.rpm grafana-elasticsearch-6.2.2-7.el8_1.s390x.rpm grafana-graphite-6.2.2-7.el8_1.s390x.rpm grafana-influxdb-6.2.2-7.el8_1.s390x.rpm grafana-loki-6.2.2-7.el8_1.s390x.rpm grafana-mssql-6.2.2-7.el8_1.s390x.rpm grafana-mysql-6.2.2-7.el8_1.s390x.rpm grafana-opentsdb-6.2.2-7.el8_1.s390x.rpm grafana-postgres-6.2.2-7.el8_1.s390x.rpm grafana-prometheus-6.2.2-7.el8_1.s390x.rpm grafana-stackdriver-6.2.2-7.el8_1.s390x.rpm x86_64: grafana-6.2.2-7.el8_1.x86_64.rpm grafana-azure-monitor-6.2.2-7.el8_1.x86_64.rpm grafana-cloudwatch-6.2.2-7.el8_1.x86_64.rpm grafana-debuginfo-6.2.2-7.el8_1.x86_64.rpm grafana-elasticsearch-6.2.2-7.el8_1.x86_64.rpm grafana-graphite-6.2.2-7.el8_1.x86_64.rpm grafana-influxdb-6.2.2-7.el8_1.x86_64.rpm grafana-loki-6.2.2-7.el8_1.x86_64.rpm grafana-mssql-6.2.2-7.el8_1.x86_64.rpm grafana-mysql-6.2.2-7.el8_1.x86_64.rpm grafana-opentsdb-6.2.2-7.el8_1.x86_64.rpm grafana-postgres-6.2.2-7.el8_1.x86_64.rpm grafana-prometheus-6.2.2-7.el8_1.x86_64.rpm grafana-stackdriver-6.2.2-7.el8_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-39226 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYWVnL9zjgjWX9erEAQjVahAAoJ7+9AngYZM5PDdO2kvnwX3knbZLlvpU yhDQEIDnv0Q3RGFKybww186KdEGOJCrhSKjVgdMtaP6Ksm7GHaIbm4b5myqTxvHN Q8mTbM7XyUeEOvKKjOwRYapWFjtssA1zDJDxWLUTulJrzFGlW2yl4x+c3nZLypli 6Sgps3Oa37wft1J/IpA8Tlyq0LcVpQ/xyKdN64CTyT7o54MU0TttuwPgsU/XsGmw grmuFv26CSpXW+F+2vO/BmCxdDIO3e5+ZZ8vvjRCM7FL4EVOXZW59lmv/7sqa9OS QrMM5Lt4LawxpwGN8bkDLhIz4oPYmUtlXSqEbryCCh37/PUbToP70ZICj+B77OFB QMvOcGQ6EdSu1cHMPzPZCzXm+twOMu+d3Drb1lxXSI7JLuLWIODYVEo01zPm5Z6M YtLL1oW6dRaL1bJ5EvzNuazPz4nOuIoNQBrJycjc6aOEhUfDFe2srq4L3DO+UhZ0 RUdE3/EJdvVvLZt9X5Z1BVL9KvDmrSEHuPd6cUN31YuIraSQozVXW6j3v/tiOG+D lvnjzueupji80QuD2h2vTiUQAgVEOXmiGdONJTFSzE3DqOZ9kiMIqVp7YkH6+qem Z3mhnt0plyQRL1rJCZA1EKJUGQBr0TF1ld3rTGbGj9Z8iwSa26/wiJCqd7EzAt1O vh1z8o0ZYj0= =UOrO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYWZzHeNLKJtyKPYoAQgIsw//So9IAmoAFPGf4E1CVdvWx6okX12ngcEn W63mulzF3zWKk5ujP/8b1NjDdJinR1FMwNulXGv/iVvOmUzlQzwe9UngbjGkgUZP f4wgJ2kuZzxdlHOI8iqcXeBuInnSLnl2JC1AwGH90+ujx+l7Ok4y2ZPQhQWF4bbF X3Ofz0tJjGfyafxJPQ6iJoOwjGw3nFSLWb9aeQg0LAUttKqmZFK9VQ6bhrUkfeLr 7PSoAwK9mhHkbApR2/NNVpiPbHQpQgr2DVdK6DXoUzujB24c7bN7LNzkHzwhFLtL XTNjbrr/KKQC+Ib4THUk6eZcnmaLvDiiejilCWg/nC/DG9GLp32ELj9cwrZn6T0a chC+Y8QhhFKmmRXBfkTOtA1NLuA1xmN5NZw4IlHCGVJAMGxS3QTN4uqU8cISXgM1 kD2X1osHG0CyvXdKv7QGwuIyq8AWg1joZsANF2sACzaWYuo9zXPmhUe/10ttLDRq Ll/77woJcOfpxGKAWNF14N6Ib4uxAreTJB7YNp1rmZzn1XGZ0D51uY+6Lu5ylR3w DdRSerR/XzvpghowrzQsu1n2/SVQSlQMNMxbQYcvLG+4aE51CjEDLjo2ciHjSHg2 yKML/Z188JmwWbWzF7LOhkISGqKcgzWyW8ZuV3WI8vE0U13y3exdfOt3JSGgLr9b xdQqw0pilsA= =k/Qj -----END PGP SIGNATURE-----