Comment 3 Hardik Vyas 2020-04-28 09:25:25 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1828735]

Comment 10 Hardik Vyas 2020-04-30 07:57:04 UTC

Mitigation:

Manually change the directory and files permissions to remove readable bits for others:

chmod 750 /var/lib/grafana

chmod 640 /var/lib/grafana/grafana.db

chown grafana:grafana /var/lib/grafana/grafana.db

Comment 20 Mark Cooper 2020-05-05 05:45:04 UTC

ServiceMesh grafana also sets its grafana.db permissions to world readable, however it’s located at /data/grafana:

bash-4.4$ ls -lah /data/grafana/grafana.db -rw-r–r--. 1 1000570000 1000570000 992K May 5 04:36 grafana.db

Comment 21 Mark Cooper 2020-05-05 06:14:26 UTC

Lowered the Severity Rating for ServiceMesh grafana. It would require an unlikely set of circumstances for this to be exploited (also increasing the attack complexity) due to grafana running within a container in ServiceMesh.

Comment 24 Jason Shepherd 2020-05-07 00:48:57 UTC

OCP 3.11 installs Grafana 5.4.3 which is vulnerable to this issue, despite being in the 5.x version series.

Comment 26 Mark Cooper 2020-05-07 04:06:49 UTC

Statement:

The versions of grafana shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 3 and 4 sets the world readable permissions on grafana database directory and file, hence affected by this vulnerability.

In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the grafana containers set their database files to world readable. However, as it’s run in a container image with SELinux MCS labels this prevents other processes on the host from reading it. Therefore, for both (OCP and OSSM) the impact is low.