Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-13379: Incorrect access control vulnerability in Grafana #2600

Closed
Ebaneck opened this issue Jun 5, 2020 · 1 comment · Fixed by #2605
Closed

CVE-2020-13379: Incorrect access control vulnerability in Grafana #2600

Ebaneck opened this issue Jun 5, 2020 · 1 comment · Fixed by #2605
Assignees
@gdemonet
Labels
kind:dependencies Pull requests that update a dependency file priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed release:blocker An issue that blocks a release until resolved topic:monitoring Everything related to monitoring of services in a running cluster topic:security Security-related issues
Milestone
MetalK8s 2.4.4

Comments

@Ebaneck
Copy link
Contributor

Ebaneck commented Jun 5, 2020

Component:

'build', 'grafana'

Why this is needed:

We currently ship the following Grafana versions which are vulnerable:
For 2.4 => 6.4.2
For 2.5 => 6.7.1

See: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/?utm_source=grafana_news&utm_medium=rss

What should be done:

Our Grafana versions have a direct binding to the Prometheus-operator chart we ship. Directly bumping the Grafana version could raise compatibility issues.

Implementation proposal (strongly recommended):
TBD

Test plan:
@Ebaneck Ebaneck added topic:security Security-related issues release:blocker An issue that blocks a release until resolved priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed labels Jun 5, 2020
@gdemonet gdemonet added this to the MetalK8s 2.4.4 milestone Jun 5, 2020
@gdemonet
Copy link
Contributor

gdemonet commented Jun 5, 2020

Let's first try by just bumping the Grafana version to 6.7.4 from the chart options, we'll see if that creates problems.

@gdemonet gdemonet self-assigned this Jun 5, 2020
@gdemonet gdemonet added kind:dependencies Pull requests that update a dependency file topic:monitoring Everything related to monitoring of services in a running cluster labels Jun 5, 2020
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
charts: Bump Grafana image tag to 6.7.4
96c9136 
This should handle the recent CVE-2020-13379.
See: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Fixes: #2600
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
Revert "build: Add custom grafana build image with plugins installed"
16d6a9c 
We are going to upgrade Grafana version to 6.7.4 for a CVE fix, hence
including the piechart-panel plugin by default.
This reverts commit 08825e9, which
isn't needed anymore.
See: #2600
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
charts, build: Bump Grafana image tag to 6.7.4
812c04d 
This should handle the recent CVE-2020-13379.
See: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Fixes: #2600
@gdemonet gdemonet mentioned this issue Jun 5, 2020
Merged
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
charts, build: Bump Grafana image tag to 6.7.4
7c95676 
This should handle the recent CVE-2020-13379.
See: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Fixes: #2600
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
charts, build: Bump Grafana image tag to 6.7.4
d451ef1 
This should handle the recent CVE-2020-13379.
See: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

Fixes: #2600
gdemonet added a commit that referenced this issue Jun 5, 2020
@gdemonet
changelog: Mention Grafana upgrade to 6.7.4
9f3980a 
See: #2600
Ebaneck pushed a commit that referenced this issue Jun 8, 2020
@gdemonet @Ebaneck
changelog: Mention Grafana upgrade to 6.7.4
d819d22 
See: #2600
@bert-e bert-e closed this as completed in 608402a Jun 8, 2020
Ebaneck pushed a commit that referenced this issue Jun 8, 2020
@gdemonet @Ebaneck
changelog: Mention Grafana upgrade to 6.7.4
23b362c 
See: #2600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gdemonet gdemonet

Labels
kind:dependencies Pull requests that update a dependency file priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed release:blocker An issue that blocks a release until resolved topic:monitoring Everything related to monitoring of services in a running cluster topic:security Security-related issues
Projects
None yet
Milestone
MetalK8s 2.4.4
Development

Successfully merging a pull request may close this issue.

CVE-2020-13379: Upgrade Grafana image to 6.7.4 scality/metalk8s
2 participants
@Ebaneck @gdemonet