CVE-2022-29170

Description
Today we are releasing Grafana Enterprise 8.5.3 and 7.5.16. This patch releases includes Moderate severity security fix for Grafana Enterprise which protects against SSRF attack allowing to bypass datasource network restrictions via HTTP redirects.

Release v.8.5.3, only containing security fixes:

Download Grafana Enterprise 8.5.3

Release v.7.5.16, only containing security fixes:

Download Grafana Enterprise 7.5.16

SSRF - datasource network restrictions bypass via HTTP redirects

On 2nd of May, during an internal security audit, we discovered a security vulnerability which impacts Grafana Enterprise instances which are using Request security feature.

We believe that this vulnerability is rated at CVSS 6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L).

Pre-conditions

• Running Grafana Enterprise 7.4.0-beta1 - 8.5.2
• Request security allow list feature is configured to use at least one host_allow_list or host_deny_list
• There is a possibility of adding a custom datasource to Grafana which returns HTTP redirects

Summary

In Grafana Enterprise, Request security allow list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts.

The vulnerability allows to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host.

Impact

The vulnerability is only impacting Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients.

Grafana Cloud is not impacted by this vulnerability.

Affected versions with MODERATE severity

All Grafana Enterprise instances with 7.4.0-beta1 - 8.5.2 versions are affected by this vulnerability.

Solutions and mitigations

All installations after Grafana Enterprise v7.4.0-beta1 should be upgraded as soon as possible.

Grafana Cloud is not impacted by this vulnerability. and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure’s Grafana as a service offering.

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

• 2022-05-02 A potential Issue related to the Request security feature in Grafana Enterprise has been reported internally

• 2022-05-02 12:33 Issue escalated and the vulnerability confirmed reproducible

• 2022-05-02 15:00 Decision is made to release a private patch

• 2022-05-02 15:21 CVE requested

• 2022-05-03 15:58 Private release planned for 2022-05-05, and public release planned for 2022-05-19

• 2022-05-05 12:00 Private release

• 2022-05-19 12:00 Public release

Reporting security issues

If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’s open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address.

Please encrypt your message to us; please use our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Important: We ask you to not disclose the vulnerability before it have been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.

Security announcements

We maintain a category on the community site called Security Announcements,
where we will post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to email updates to this category if you have a grafana.com account and sign on to the community site or track updates via an RSS feed.