Important security patch released in Grafana 8.3.4 and 7.5.13

Grafana's OAuth Identity Token security patch

Grafana’s versions 8.3.4 and 7.5.13 were released on January 18th, 2022. These two new versions include some patches to fix important security issues for all installations of Grafana 7.5.x and 8.x. These versions are only vulnerable in case that the administrator has used “OAuth forwarding” for data sources and uses API keys.

Table of contents
1 OAuth Identity Token security patch (CVE-2022-21673)
2 Updating Grafana on RHEL, CentOS, CloudLinux, Rocky Linux or AlmaLinux
2.1 Version 8.3.4
2.2 Version 7.5.13
3 Updating Grafana on Ubuntu or Debian

OAuth Identity Token security patch (CVE-2022-21673)

The patch released in these new versions aims to solve a vulnerability in Grafana 7.2 reported at the beginning of January.

Grafana 7.2 added a new feature allowing opted-in data sources to forward the OAuth Access Token to the user that was signed-in while requesting data. However, by enabling this feature on a data source and making a request to the data source with an API token, the OAuth Access Token of the most recently signed-in user was used instead of the API token that had just been provided.

Both Grafana 8.3.4 and Grafana 7.5.13 include the security patch CVE-2022-21673. Version 8.3.4 also includes other patch changes that have been released as part of the normal patch release, since it is a CVSS low issue:

Updating Grafana on RHEL, CentOS, CloudLinux, Rocky Linux or AlmaLinux

The most recommended way of updating Grafana on Red Hat Enterprise Linux (RHEL), CentOS, CloudLinux, Rocky Linux or AlmaLinux usually is to download the rpm from the official repository.

Version 8.3.4

Download the rpm:

wget https://dl.grafana.com/oss/release/grafana-8.3.4-1.x86_64.rpm

Then execute the installation using sudo to proceed to the upgrade of the 8.x series’ package that you have installed.

sudo yum install grafana-8.3.4-1.x86_64.rpm

Version 7.5.13

Download the rpm:

wget https://dl.grafana.com/oss/release/grafana-7.5.13-1.x86_64.rpm

Then execute the installation using sudo to proceed to the upgrade of the 7.5.x series’ package that you have installed.

sudo yum install grafana-7.5.13-1.x86_64.rpm

Updating Grafana on Ubuntu or Debian

For Linux systems based on Ubuntu or Debian (64 Bits) you should execute the following commands including the download of the installation package for these operating systems.

sudo apt-get install -y adduser libfontconfig1

wget https://dl.grafana.com/oss/release/grafana_8.3.4_amd64.deb 

sudo dpkg -i grafana_8.3.4_amd64.deb

Image source: Linux Screenshots, CC BY 2.0.

Share it on Social Media!

Related articles

Cookies customization
Stackscale, Grupo Aire logo

By allowing cookies, you voluntarily agree to the processing of your data. This also includes, for a limited period of time, your consent in accordance with the Article 49 (1) (a) GDPR in regard to the processing of data outside the EEA, for instead, in the USA. In these countries, despite the careful selection and obligation of service providers, the European high level of data protection cannot be guaranteed.

In case of the data being transferred to the USA, there is, for instance, the risk of USA authorities processing that data for control and supervision purposes without having effective legal resources available or without being able to enforce all the rights of the interested party. You can revoke your consent at any moment.

Necessary Cookies

Necessary cookies help make a web page usable by activating basic functions such as the page navigation and the access to secure areas in the web page. The web page will not be able to work properly without these cookies. We inform you about the possibility to set up your browser in order to block or alert about these cookies, however, it is possible that certain areas of the web page do not work. These cookies do not store any personal data.

- moove_gdpr_popup

 

Analytical cookies

Analytical cookies allow its Editor to track and analyze the websites’ users behavior. The information collected through this type of cookie is used for measuring the activity on websites, applications or platforms, as well as for building user navigation profiles for said websites, application or platform, in order to implement improvements based on the analysis of data on the usage of the service by users.

Google Analytics: It registers a single identification used to generate statistical data about how the visitor uses the website. The data generated by the cookie about the usage of this website is generally transferred to a Google server in the USA and stored there by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA.

- _dc_gtm_UA-XXXXXXXX-X

- _gat_gtag_UA_XXXXXXXX_X

- _ga

- _gcl_au

- _gid