grafana-9.2.10-16.el9.ML.1
エラータID: AXSA:2024-7906:07
リリース日:
2024/05/30 Thursday - 12:09
題名:
grafana-9.2.10-16.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Grafana には、認証ロジックの不具合に起因して、承認
機能を迂回できてしまう問題があるため、リモートの攻撃者
により、スナップショットデータの不正な削除を可能とする
脆弱性が存在します。(CVE-2024-1313)
- Go の RSA 暗号化 / 復号化の処理には、メモリリークの
問題があるため、リモートの攻撃者により、サービス拒否
攻撃 (メモリ枯渇) を可能とする脆弱性が存在します。
(CVE-2024-1394)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-1313
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/
CVE-2024-1394
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.2.10-16.el9.ML.1.src.rpm
MD5: d404555c4e935e7e5572b1a5c2d92fa2
SHA-256: fa9cecd9fd331d13501990b8a7b635c674ecdf304c253435af87daf6b719d0ac
Size: 321.65 MB
Asianux Server 9 for x86_64
- grafana-9.2.10-16.el9.ML.1.x86_64.rpm
MD5: 130c2fd820a03ffe7d6ad149e982e96f
SHA-256: 50998d14840c183a05ab6da071778bc4aecf870cb01c193d0dbda227a20936a8
Size: 72.41 MB - grafana-selinux-9.2.10-16.el9.ML.1.x86_64.rpm
MD5: bf5393922a7d16444c849dcd7f5b3045
SHA-256: 6cec7129fe4a772b0541d844ee1b1c7b75843c0c8426463f8fa5cf6ae7943e87
Size: 25.99 kB
English