Important security patch released in Grafana 8.3.4 and 7.5.13

Grafana's OAuth Identity Token security patch

Grafana’s versions 8.3.4 and 7.5.13 were released on January 18th, 2022. These two new versions include some patches to fix important security issues for all installations of Grafana 7.5.x and 8.x. These versions are only vulnerable in case that the administrator has used “OAuth forwarding” for data sources and uses API keys.

Table of contents
1 OAuth Identity Token security patch (CVE-2022-21673)
2 Updating Grafana on RHEL, CentOS, CloudLinux, Rocky Linux or AlmaLinux
2.1 Version 8.3.4
2.2 Version 7.5.13
3 Updating Grafana on Ubuntu or Debian

OAuth Identity Token security patch (CVE-2022-21673)

The patch released in these new versions aims to solve a vulnerability in Grafana 7.2 reported at the beginning of January.

Grafana 7.2 added a new feature allowing opted-in data sources to forward the OAuth Access Token to the user that was signed-in while requesting data. However, by enabling this feature on a data source and making a request to the data source with an API token, the OAuth Access Token of the most recently signed-in user was used instead of the API token that had just been provided.

Both Grafana 8.3.4 and Grafana 7.5.13 include the security patch CVE-2022-21673. Version 8.3.4 also includes other patch changes that have been released as part of the normal patch release, since it is a CVSS low issue:

Updating Grafana on RHEL, CentOS, CloudLinux, Rocky Linux or AlmaLinux

The most recommended way of updating Grafana on Red Hat Enterprise Linux (RHEL), CentOS, CloudLinux, Rocky Linux or AlmaLinux usually is to download the rpm from the official repository.

Version 8.3.4

Download the rpm:

wget https://dl.grafana.com/oss/release/grafana-8.3.4-1.x86_64.rpm

Then execute the installation using sudo to proceed to the upgrade of the 8.x series’ package that you have installed.

sudo yum install grafana-8.3.4-1.x86_64.rpm

Version 7.5.13

Download the rpm:

wget https://dl.grafana.com/oss/release/grafana-7.5.13-1.x86_64.rpm

Then execute the installation using sudo to proceed to the upgrade of the 7.5.x series’ package that you have installed.

sudo yum install grafana-7.5.13-1.x86_64.rpm

Updating Grafana on Ubuntu or Debian

For Linux systems based on Ubuntu or Debian (64 Bits) you should execute the following commands including the download of the installation package for these operating systems.

sudo apt-get install -y adduser libfontconfig1

wget https://dl.grafana.com/oss/release/grafana_8.3.4_amd64.deb 

sudo dpkg -i grafana_8.3.4_amd64.deb

Image source: Linux Screenshots, CC BY 2.0.

Share it on Social Media!

Related articles