grafana-9.2.10-16.el8
エラータID: AXSA:2024-8438:09
リリース日:
2024/06/21 Friday - 20:43
題名:
grafana-9.2.10-16.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Grafana には、認証ロジックの不具合に起因して、承認機能
を迂回できてしまう問題があるため、リモートの攻撃者により、
スナップショットデータの不正な削除を可能とする脆弱性が
存在します。(CVE-2024-1313)
- Go の RSA 暗号化 / 復号化の処理には、メモリリークの問題
があるため、リモートの攻撃者により、サービス拒否攻撃
(メモリ枯渇) を可能とする脆弱性が存在します。
(CVE-2024-1394)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-1313
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/
CVE-2024-1394
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.2.10-16.el8.src.rpm
MD5: 3268e06c0a5c64b59628c56917904395
SHA-256: f84a6c9a1c6bbbb408536a5ab239d100e838872a1379b997e76052a88262ad2f
Size: 321.66 MB
Asianux Server 8 for x86_64
- grafana-9.2.10-16.el8.x86_64.rpm
MD5: 73c4393d44f94bdfa0b4a749bc7292d3
SHA-256: 83bb31f76681f873cf2f8df5e1767d608d7aa32284d84bb06f85d341de064a31
Size: 75.52 MB - grafana-selinux-9.2.10-16.el8.x86_64.rpm
MD5: fe74702ca91fde6728c507d9e31d38f9
SHA-256: f54089bfb79843da9fb881f70d27cccdd7d81aaa36b96805542dabec97a9069e
Size: 33.94 kB
English