grafana-9.0.9-2.el9.ML.1
エラータID: AXSA:2023-5548:03
リリース日:
2023/05/26 Friday - 05:13
題名:
grafana-9.0.9-2.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- go の net/http モジュールには、HTTP/2 接続のシャットダウン前に
致命的なエラーが発生した場合 HTTP/2 接続が無応答状態になる問題が
あるため、リモートの攻撃者により、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2022-27664)
- golang には、リバースプロキシから転送されたクエリを含むリクエスト
の Go プロキシの処理に問題があるため、リモートの攻撃者により、
net/http モジュールによって拒否された解析不能なパラメーターを含む
リクエストを介して、HTTP リクエストスマグリング攻撃を可能とする
脆弱性が存在します。(CVE-2022-2880)
- Grafana の認証プロキシには、リモートの攻撃者により、Grafana の
管理者権限からサーバーの管理者権限への権限昇格とこれによる Grafana
インスタンスの完全な操作権限の取得を可能とする脆弱性が存在します。
(CVE-2022-35957)
- Grafana には、ユーザー名と電子メールアドレスの両方をログイン
アカウントとして利用できるため、リモートの攻撃者により、攻撃対象と
するユーザーの電子メールアドレスを別のユーザーとして登録することを
介して、攻撃対象のユーザーのログインの妨害を可能とする脆弱性が存在
します。(CVE-2022-39229)
- golang の regexp モジュールには、信頼できない情報元から入力された
正規表現をコンパイルする際に大量のメモリを消費してしまう問題がある
ため、リモートの攻撃者により、細工された正規表現の入力を介して、
メモリの枯渇とそれに起因するサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2022-41715)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-27664
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-2880
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2022-35957
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
CVE-2022-39229
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.
CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.0.9-2.el9.ML.1.src.rpm
MD5: 877af9eb4d9d2db053271048d022d941
SHA-256: e75e9c5370a8dcaff7ee6f44b5e6c9c4a007e34c303134d4f018839fde32e389
Size: 268.78 MB
Asianux Server 9 for x86_64
- grafana-9.0.9-2.el9.ML.1.x86_64.rpm
MD5: 595ea09c06ef7c9543cb105e702a67ae
SHA-256: 12c8cb2d6967d7f14c8ffb5f2c92b31a48dbf33470dc8ebe8660511c829e8f7b
Size: 61.33 MB
English