Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-3257

Grafana Security patch for CVE-2018-19039

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.17.0
    • Component/s: PMM Server
    • Labels:

      Description

      Grafana released "Grafana 5.3.3 and 4.6.5 Security Update" https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 and included a specific patch indicating the .

      Note: we using Grafana 5.1.3 so we can't use patch directly, we need to modify it.

      User Impact:
      Any users with Editor or Admin permissions in Grafana can read from the file system any file the Grafana process has access to. In order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.

      This affects PMM Server since release February 7th 2017 in 1.1.0 Beta while April 20 2018 release 1.10.0 was our first non-vulnerable release (we started building Grafana ourselves and unintentionally omitted the PhantomJS binary).

      Users on release 1.10.0 or newer, you are not affected by this vulnerability.
      In 1.17.0 ew are fixing PhantomJS functionality

       

      Steps to Reproduce:
      Not disclosed at this time.

      Current Result:
      Any user authenticated to Grafana with Editor or Admin role can read any file that the Grafana process can read from the file system.

      Expected Results:
      Grafana Users cannot gain access to the file system.

      The workaround for users unable to upgrade is to perform two actions:

      1. Set all Users to Viewer access level only
      2. Remove all dashboards that contain text panels

      ----------

      pls see this
      https://github.com/grafana/grafana/commit/a8aa16673ed577b786eb2752e1ededc5cb309193#diff-3d553362b377027c6be7867e68a4a75c
      can we apply changes form pkg/services/rendering/phantomjs.go to our build?

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  roma.novikov Roma Novikov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 3 hours
                    3h