Bug 1193492 – VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

Bug 1193492 - (CVE-2021-43798) VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

(CVE-2021-43798)
Summary:	VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-43798:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-12-07 16:53 UTC by Thomas Leroy
Modified:	2022-12-13 11:47 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Screenshot of a poc (371.59 KB, image/jpeg) 2021-12-07 16:53 UTC, Thomas Leroy	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2021-12-07 16:53:27 UTC

Created attachment 854380 [details]
Screenshot of a poc

An arbitrary file read has been dropped on Twitter on 2021-12-04. For the moment, no upstream fix is given.

A quick analysis of the code make the vuln probable, but we should monitor for acknowledgement from Grafana dev team, as well as a fix.

Probable vulnerable code is in getPluginAssets method, in grafana/blob/main/pkg/api/plugins.go:284.

References:
https://github.com/grafana/grafana/blob/a2ad0a0fb61b969ecf31b6cc9df3964cccf3e313/pkg/api/plugins.go#L284

Comment 1 Marcus Meissner 2021-12-08 08:36:30 UTC

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

Comment 2 Thomas Leroy 2021-12-08 15:46:28 UTC

Upstream fix commit:
https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce

Security advisory:
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

Comment 3 Thomas Leroy 2021-12-08 16:27:59 UTC

The vulnerable commit [0] has been introduced in v8.0.0. But every version that we ship is <7.5.11. Moreover, I checked that the vulnerable commit has not been backported. Therefore, I think we are not affected.
In light of the importance this vulnerability seems to take, that would be great if someone can double-check my assessment.

[0] https://github.com/grafana/grafana/commit/c37a3bebb7b5eb3a0bee5ffb26798282f0abead0

Comment 4 Christian Almeida de Oliveira 2021-12-09 15:31:21 UTC

Cloud 8 and Cloud 9 use both version 6.7.4, thus not impacted.
Back to Security team.

Comment 5 Thomas Leroy 2021-12-13 08:21:39 UTC

Thanks Christian for confirming. Closing since we are not affected.

Comment 8 Swamp Workflow Management 2022-10-20 16:22:45 UTC

SUSE-SU-2022:3676-1: An update that fixes 14 vulnerabilities, contains four features is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1194873,1195726,1195727,1195728,1201535,1201539,1203596,1203597
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43815,CVE-2022-21673,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145,SLE-23422,SLE-23439,SLE-24565
Sources used:
SUSE Enterprise Storage 6 (src):    grafana-8.5.13-150100.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2022-12-13 11:27:28 UTC

SUSE-SU-2022:4428-1: An update that fixes 12 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1203596,1203597
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
openSUSE Leap 15.4 (src):    grafana-8.5.13-150200.3.29.5
openSUSE Leap 15.3 (src):    grafana-8.5.13-150200.3.29.5
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    grafana-8.5.13-150200.3.29.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2022-12-13 11:30:58 UTC

SUSE-SU-2022:4437-1: An update that solves 12 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1202945,1203283,1203596,1203597,1203599
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
openSUSE Leap 15.4 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, golang-github-prometheus-promu-0.13.0-150000.3.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, spacecmd-4.3.16-150000.3.89.1, wire-0.5.0-150000.1.9.3
openSUSE Leap 15.3 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, golang-github-prometheus-promu-0.13.0-150000.3.9.1, spacecmd-4.3.16-150000.3.89.1
SUSE Manager Tools for SLE Micro 5 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, uyuni-proxy-systemd-services-4.3.7-150000.1.9.3
SUSE Manager Tools 15 (src):    dracut-saltboot-0.1.1665997480.587fa10-150000.1.41.1, golang-github-boynux-squid_exporter-1.6-150000.1.9.1, grafana-8.5.13-150000.1.36.3, prometheus-blackbox_exporter-0.19.0-150000.1.14.3, spacecmd-4.3.16-150000.3.89.1, spacewalk-client-tools-4.3.13-150000.3.71.3, uyuni-proxy-systemd-services-4.3.7-150000.1.9.3
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    golang-github-boynux-squid_exporter-1.6-150000.1.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    golang-github-boynux-squid_exporter-1.6-150000.1.9.1, prometheus-blackbox_exporter-0.19.0-150000.1.14.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2022-12-13 11:47:10 UTC

SUSE-SU-2022:4439-1: An update that solves 12 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (moderate)
Bug References: 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1202945,1203283,1203596,1203597,1203599
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062
JIRA References: PED-2145
Sources used:
SUSE Manager Tools 12 (src):    golang-github-boynux-squid_exporter-1.6-1.9.1, grafana-8.5.13-1.36.2, prometheus-blackbox_exporter-0.19.0-1.14.1, spacecmd-4.3.16-38.112.1, spacewalk-client-tools-4.3.13-52.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.