Today we are releasing Grafana Enterprise 8.3.6. This patch release includes HIGH severity security fix for Grafana Enterprise fine-grained access control API Key privilege escalation.
Release v.8.4.6, only containing security fixes:
Privilige Escalation
On 3rd of April, during an internal security audit, we discovered a security vulnerability which impacts Grafana Enterprise instances which have fine-grained access control beta feature enabled.
We believe that this vulnerability is rated at CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Pre-conditions
- Running Grafana Enterprise 8.1.0-beta1 - 8.4.5
- Fine-grained access control is enabled
- There are at least 2 API Keys with different roles (e.g. one with Admin, one with Editor).
Summary
When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should.
Impact
The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned.
Affected versions with HIGH severity
All Grafana Enterprise instances with 8.1.0-beta1 - 8.4.5 versions are affected by this vulnerability.
Solutions and mitigations
All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disabling fine-grained access control will mitigate the vulnerability.
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-04-03 13:02 A potential Issue related to fine-grained access control escalated internally
- 2022-04-03 12:07 Issue escalated and the vulnerability confirmed reproducible
- 2022-04-03 14:30 Decision is made to release a private patch
- 2022-04-04 09:06 CVE requested
- 2022-04-04 12:40 Private release planned for 2022-04-05, and public release planned for 2022-04-12
- 2022-04-04 12:40 GitHub has issued CVE-2022-24812
- 2022-04-05 12:00 Private release
- 2022-04-12 12:00 Public release
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs's open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.
Please encrypt your message to us; please use our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a category on the community site called Security Announcements,
where we will post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.
Today we are releasing Grafana Enterprise 8.3.6. This patch release includes HIGH severity security fix for Grafana Enterprise fine-grained access control API Key privilege escalation.
Release v.8.4.6, only containing security fixes:
Privilige Escalation
On 3rd of April, during an internal security audit, we discovered a security vulnerability which impacts Grafana Enterprise instances which have fine-grained access control beta feature enabled.
We believe that this vulnerability is rated at CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
Pre-conditions
Summary
When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should.
Impact
The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned.
Affected versions with HIGH severity
All Grafana Enterprise instances with 8.1.0-beta1 - 8.4.5 versions are affected by this vulnerability.
Solutions and mitigations
All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disabling fine-grained access control will mitigate the vulnerability.
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs's open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.
Please encrypt your message to us; please use our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
Security announcements
We maintain a category on the community site called Security Announcements,
where we will post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.