Bugzilla – Bug 1212641
VUL-0: CVE-2023-3128: grafana: account takeover possible when using Azure AD OAuth
Last modified: 2024-06-07 12:13:01 UTC
CVE-2023-3128 Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and which do not have allowed_groups configured are affected and can be compromised. Upstream fix for 8.5.x: https://github.com/grafana/grafana/commit/2b60228f42f45fddc0821a78bf2568598a1a40c8#diff-dc899ea32f268c53e94f76ae5ff45a239dde212d815e715fc3804ea4dfe87a75L1261 Upstream fix for 9.4.x: https://github.com/grafana/grafana/commit/26f009141c5583aa44b2db0d444874bdbccb7dce References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3128 https://bugzilla.redhat.com/show_bug.cgi?id=2213626 https://www.cve.org/CVERecord?id=CVE-2023-3128 https://grafana.com/security/security-advisories/cve-2023-3128/
Grafana advisory [0] states 6.7.0 as the first vulnerable version, so in theory all of our maintained codestreams are affected: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update - SUSE:SLE-12:Update - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15:Update - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update But I don't know which one of them enable Azure Active Directory. Maintainers, could you please clarify this? [0] https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/
Azure AD OAuth authentication can be enabled in Grafana configuration. Supported since Grafana 6.7.0.
(In reply to Witek Bedyk from comment #2) > Azure AD OAuth authentication can be enabled in Grafana configuration. > Supported since Grafana 6.7.0. Thanks Witek. Considering the following affected then: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update - SUSE:SLE-12:Update - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15:Update - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update
Prepared SR in SLE development project with upgrade to version 9.5.5: https://build.opensuse.org/request/show/1094876
For the Cloud versions the configuration control does not support enabling Oauth, so we consider this CVE not applicable. What the config would need to look like is documented at https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/azuread/#enable-azure-ad-oauth-in-grafana . In Crowbar that configuration setting is not a variable, so is not user configurable: https://github.com/crowbar/crowbar-openstack/blob/26948f746e32eb7ea83f8d2c8d99b68e403cc5fa/chef/cookbooks/horizon/templates/default/grafana.ini.erb#L242 For Ardana I only found references in devstack that also doesn't allow enabling it. But Jeremey will add another comment to confirm.
For SOC CLM, Grafana is not deployed or documented in any way. The graphing solution for Ardana/CLM is/was the OpsConsole. SOC9 CLM does include the grafana packages in the project, but they are not installed or deployed as part of the product. I believe this was done to make the sources between Ardana and Crowbar as uniform as possible. The result is that the packages are "on the ISO" as it were, but the user would have to go out of their way to manually install and configure them to use them.
Grafana 9.5.5 submitted into SUMA projects.
Thanks everyone for the update. Does anyone know who maintains the SLE codestreams (that are affected as well): SUSE:SLE-12:Update 9.5.1-1.48.1 Affected - SUSE:SLE-12:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15:Update
(In reply to Thomas Leroy from comment #8) > Thanks everyone for the update. Does anyone know who maintains the SLE > codestreams (that are affected as well): > SUSE:SLE-12:Update > 9.5.1-1.48.1 > > Affected > - SUSE:SLE-12:Update > - SUSE:SLE-15-SP2:Update > - SUSE:SLE-15:Update Hello Thomas, the other affected codestreams are also maintained by SUMA. https://smelt.suse.de/maintained/?q=grafana&with_debug=1 Let me give you more details: - SUSE:SLE-12:Update is used for the SLE12 client tools (channel SLE-Manager-Tools_12) - SUSE:SLE-15:Update is used for the SLE15 client tools (channel SLE-Manager-Tools_15) - SUSE:SLE-15-SP2:Update is also covered by us because we are delivering from there to openSUSE-SLE_15.4/openSUSE-SLE_15.5 that for us is relevant for Uyuni (our upstream). The fix delivered by Witek and listed on comment 4 will be part of SUSE Manager 4.3.7 and from there we will deliver the updates to the mentioned codestreams. @Thomas: our release date is August 1st, is this acceptable for this CVE?
(In reply to Marina Latini from comment #9) > (In reply to Thomas Leroy from comment #8) > > Thanks everyone for the update. Does anyone know who maintains the SLE > > codestreams (that are affected as well): > > SUSE:SLE-12:Update > > 9.5.1-1.48.1 > > > > Affected > > - SUSE:SLE-12:Update > > - SUSE:SLE-15-SP2:Update > > - SUSE:SLE-15:Update > > Hello Thomas, > the other affected codestreams are also maintained by SUMA. > https://smelt.suse.de/maintained/?q=grafana&with_debug=1 > > Let me give you more details: > - SUSE:SLE-12:Update is used for the SLE12 client tools (channel > SLE-Manager-Tools_12) > - SUSE:SLE-15:Update is used for the SLE15 client tools (channel > SLE-Manager-Tools_15) > - SUSE:SLE-15-SP2:Update is also covered by us because we are delivering > from there to openSUSE-SLE_15.4/openSUSE-SLE_15.5 that for us is relevant > for Uyuni (our upstream). > > The fix delivered by Witek and listed on comment 4 will be part of SUSE > Manager 4.3.7 and from there we will deliver the updates to the mentioned > codestreams. > > @Thomas: our release date is August 1st, is this acceptable for this CVE? Thanks for the clarification Marina. Since this is a critical CVE, August 1st is very late... I would need to discuss this with the team. If Azure AD oauth is not common, we could wait, but otherwise that seems difficult...
(In reply to Thomas Leroy from comment #10) > > Thanks for the clarification Marina. Since this is a critical CVE, August > 1st is very late... I would need to discuss this with the team. If Azure AD > oauth is not common, we could wait, but otherwise that seems difficult... Which should be the delivery time? 30 days?
(In reply to Marina Latini from comment #11) > (In reply to Thomas Leroy from comment #10) > > > > Thanks for the clarification Marina. Since this is a critical CVE, August > > 1st is very late... I would need to discuss this with the team. If Azure AD > > oauth is not common, we could wait, but otherwise that seems difficult... > > Which should be the delivery time? 30 days? just for the records... checked with Stoyan and we agreed to deliver this fix independently from SUMA 4.3.7. and with a scheduled release day set on Friday, July 21st
(In reply to Marina Latini from comment #12) > (In reply to Marina Latini from comment #11) > > (In reply to Thomas Leroy from comment #10) > > > > > > Thanks for the clarification Marina. Since this is a critical CVE, August > > > 1st is very late... I would need to discuss this with the team. If Azure AD > > > oauth is not common, we could wait, but otherwise that seems difficult... > > > > Which should be the delivery time? 30 days? > > just for the records... checked with Stoyan and we agreed to deliver this > fix independently from SUMA 4.3.7. and with a scheduled release day set on > Friday, July 21st Many thanks for you cooperation Marina!
SUSE-SU-2023:2917-1: An update that solves three vulnerabilities and contains two features can now be installed. Category: security (critical) Bug References: 1212099, 1212100, 1212641 CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128 Jira References: MSQA-687, PED-3694 Sources used: openSUSE Leap 15.4 (src): grafana-9.5.5-150200.3.44.1 openSUSE Leap 15.5 (src): grafana-9.5.5-150200.3.44.1 SUSE Package Hub 15 15-SP4 (src): grafana-9.5.5-150200.3.44.1 SUSE Package Hub 15 15-SP5 (src): grafana-9.5.5-150200.3.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2916-1: An update that solves three vulnerabilities and contains two features can now be installed. Category: security (critical) Bug References: 1212099, 1212100, 1212641 CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128 Jira References: MSQA-687, PED-3694 Sources used: SUSE Manager Client Tools for SLE 12 (src): grafana-9.5.5-1.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2915-1: An update that solves three vulnerabilities and contains two features can now be installed. Category: security (critical) Bug References: 1212099, 1212100, 1212641 CVE References: CVE-2023-2183, CVE-2023-2801, CVE-2023-3128 Jira References: MSQA-687, PED-3694 Sources used: SUSE Manager Client Tools for SLE 15 (src): grafana-9.5.5-150000.1.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done on our side. Current version used: * SLE 15: 9.5.5 * SLE 12: 9.5.5
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed. Category: security (moderate) Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844 CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128 Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791 Sources used: SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1 SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed. Category: security (moderate) Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844 CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577 Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114 Sources used: SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.