Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-3257

Grafana Security patch for CVE-2018-19039

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.17.0
    • Component/s: PMM Server
    • Labels:

      Description

      Grafana released "Grafana 5.3.3 and 4.6.5 Security Update" https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 and included a specific patch indicating the .

      Note: we using Grafana 5.1.3 so we can't use patch directly, we need to modify it.

      User Impact:
      Any users with Editor or Admin permissions in Grafana can read from the file system any file the Grafana process has access to. In order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.

      This affects PMM Server since release February 7th 2017 in 1.1.0 Beta while April 20 2018 release 1.10.0 was our first non-vulnerable release (we started building Grafana ourselves and unintentionally omitted the PhantomJS binary).

      Users on release 1.10.0 or newer, you are not affected by this vulnerability.
      In 1.17.0 ew are fixing PhantomJS functionality

       

      Steps to Reproduce:
      Not disclosed at this time.

      Current Result:
      Any user authenticated to Grafana with Editor or Admin role can read any file that the Grafana process can read from the file system.

      Expected Results:
      Grafana Users cannot gain access to the file system.

      The workaround for users unable to upgrade is to perform two actions:

      1. Set all Users to Viewer access level only
      2. Remove all dashboards that contain text panels

      ----------

      pls see this
      https://github.com/grafana/grafana/commit/a8aa16673ed577b786eb2752e1ededc5cb309193#diff-3d553362b377027c6be7867e68a4a75c
      can we apply changes form pkg/services/rendering/phantomjs.go to our build?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              roma.novikov Roma Novikov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 5 hours
                5h