Open ahrycej opened 10 months ago
Hi @ahrycej, in which version(s) of Grafana did you find CVE-2023-37788
?
PR https://github.com/grafana/grafana/pull/73028 fixes this in Grafana version 10.1.1
. Could you confirm that upgrading to this version closes this issue, please?
Hi @nikimanoledaki
I have same issue @ahrycej
I did scan CVE on grafana 10.2.0 and find many CVEs.
snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana:10.2.0
Testing grafana/grafana:10.2.0...
Organization: nqminhdl
Package manager: apk
Project name: docker-image|grafana/grafana
Docker image: grafana/grafana:10.2.0
Platform: linux/arm64
Licenses: enabled
✔ Tested 27 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing grafana/grafana:10.2.0...
✗ High severity vulnerability found in golang.org/x/net/http2
Description: Denial of Service (DoS)
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
Introduced through: golang.org/x/net/http2@v0.14.0
From: golang.org/x/net/http2@v0.14.0
Fixed in: 0.17.0
✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Description: Allocation of Resources Without Limits or Throttling
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583
Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
Fixed in: 0.44.0
✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Description: Allocation of Resources Without Limits or Throttling
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109
Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
Fixed in: 0.44.0
✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
Description: Allocation of Resources Without Limits or Throttling
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114
Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.42.0
From: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.42.0
Fixed in: 0.44.0
✗ High severity vulnerability found in github.com/elazarl/goproxy
Description: Denial of Service (DoS)
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.0
Licenses: enabled
Tested 1624 dependencies for known issues, found 5 issues.
Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana:10.2.0 --file=path/to/Dockerfile
Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.
To remove these messages in the future, please run `snyk config set disableSuggestions=true`
-------------------------------------------------------
Testing grafana/grafana:10.2.0...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-cli
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.0
Licenses: enabled
✔ Tested 4 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing grafana/grafana:10.2.0...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-server
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.0
Licenses: enabled
✔ Tested 4 dependencies for known issues, no vulnerable paths found.
Tested 4 projects, 1 contained vulnerable paths.
I did another scan with the latest digest pushed 3 days ago. Most of CVEs are gone but CVE-2023-37788 still persists.
snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...
Organization: nqminhdl
Package manager: apk
Project name: docker-image|grafana/grafana
Docker image: grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Platform: linux/amd64
Base image: alpine:3.18.4
Licenses: enabled
✔ Tested 31 dependencies for known issues, no vulnerable paths found.
According to our scan, you are currently using the most secure version of the selected base image
-------------------------------------------------------
Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...
✗ High severity vulnerability found in github.com/elazarl/goproxy
Description: Denial of Service (DoS)
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana
Project name: github.com/grafana/grafana
Docker image: grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses: enabled
Tested 1663 dependencies for known issues, found 1 issue.
Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3 --file=path/to/Dockerfile
Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.
To remove these messages in the future, please run `snyk config set disableSuggestions=true`
-------------------------------------------------------
Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-cli
Project name: github.com/grafana/grafana
Docker image: grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses: enabled
✔ Tested 3 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-server
Project name: github.com/grafana/grafana
Docker image: grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses: enabled
✔ Tested 3 dependencies for known issues, no vulnerable paths found.
Tested 4 projects, 1 contained vulnerable paths.
Hi @nikimanoledaki
Do you have any ETA for CVE fix? Thanks
thank you @nqminhdl for fast testing, i did just now tests with 10.2.2 and can confirm that goproxy was updated to v0.0.0-20230731152917-f99041a5c027, also other weaknesses you listed are not present anymore however found new issue:
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 found in /usr/share/grafana/bin/grafana
Required version is 0.46.0
Simple question, is there possibility to have some security "channel" where security tests could be shared from various sec testers? I am considering testing every grafana release and give security recommendation to our development.
Hi @nikimanoledaki
According to my latest test, I still can find this CVE.
I use Snyk CLI to test the CVE https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli
snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana:10.2.2
Testing grafana/grafana:10.2.2...
✗ High severity vulnerability found in openssl/libcrypto3
Description: CVE-2023-5363
Info: https://security.snyk.io/vuln/SNYK-ALPINE318-OPENSSL-6032386
Introduced through: openssl/libcrypto3@3.1.3-r0, apk-tools/apk-tools@2.14.0-r2, busybox/ssl_client@1.36.1-r2, ca-certificates/ca-certificates@20230506-r0, curl/curl@8.4.0-r0, openssl/libssl3@3.1.3-r0
From: openssl/libcrypto3@3.1.3-r0
From: apk-tools/apk-tools@2.14.0-r2 > openssl/libcrypto3@3.1.3-r0
From: busybox/ssl_client@1.36.1-r2 > openssl/libcrypto3@3.1.3-r0
and 7 more...
Image layer: 'apk add --no-cache ca-certificates bash curl tzdata musl-utils'
Fixed in: 3.1.4-r0
Organization: nqminhdl
Package manager: apk
Project name: docker-image|grafana/grafana
Docker image: grafana/grafana:10.2.2
Platform: linux/amd64
Base image: grafana/grafana:10.2.2
Licenses: enabled
Tested 31 dependencies for known issues, found 1 issue.
According to our scan, you are currently using the most secure version of the selected base image
Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection
-------------------------------------------------------
Testing grafana/grafana:10.2.2...
✗ High severity vulnerability found in github.com/elazarl/goproxy
Description: Denial of Service (DoS)
Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.2
Licenses: enabled
Tested 1680 dependencies for known issues, found 1 issue.
Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana:10.2.2 --file=path/to/Dockerfile
Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.
To remove these messages in the future, please run `snyk config set disableSuggestions=true`
-------------------------------------------------------
Testing grafana/grafana:10.2.2...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-cli
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.2
Licenses: enabled
✔ Tested 3 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing grafana/grafana:10.2.2...
Organization: nqminhdl
Package manager: gomodules
Target file: /usr/share/grafana/bin/grafana-server
Project name: github.com/grafana/grafana
Docker image: grafana/grafana:10.2.2
Licenses: enabled
✔ Tested 3 dependencies for known issues, no vulnerable paths found.
Tested 4 projects, 2 contained vulnerable paths.
Simple question, is there possibility to have some security "channel" where security tests could be shared from various sec testers? I am considering testing every grafana release and give security recommendation to our development.
My company is using snyk to share CVE detected on docker images. You will receive emails once you has invited to the snyk project. Snyk also supports integration for notifications https://docs.snyk.io/integrate-with-snyk/notifications-ticketing-system-integrations/slack-app
the openssl vulnerability is not coming from grafana I think, it comes from the image
all go packages and dependencies that is coming from grafana. We cant use snyk we use different tools e.g. grype/syft and my question was to the grafana project if we could establish some dedicated security channel, I could test reguraly and give feedback.
We take rpm and build own docker image
Will the fix for this issue be back ported to a 9.X version?
Version 10.3.1 still have these in bin/grafana gomodules: ✗ High severity vulnerability found in github.com/mattn/go-sqlite3 Description: Heap-based Buffer Overflow Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMATTNGOSQLITE3-6139875 Introduced through: github.com/mattn/go-sqlite3@v1.14.16 From: github.com/mattn/go-sqlite3@v1.14.16 Fixed in: 1.14.18 ✗ High severity vulnerability found in github.com/elazarl/goproxy Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247 Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027 From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
Actually I also tested 10.3.1 and I find only https://github.com/advisories/GHSA-9763-4f94-gfch in github.com/cloudflare/circl-v1.3.3 fix available in 1.3.7
Second issue is not detected yet, but grafana has golang.org/x/crypto version 0.17.0
this package is impacted by terrapin attack, but I dont know if there is an impact for grafana, could somebody check? https://www.cvedetails.com/cve/CVE-2023-48795/ https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d I think it requires x/crypto v0.19.0
OK goproxy has no fix atm, that is why I did not see it,
We still see the vulnerability CVE-2023-37788 in package github.com/elazarl/goproxy
using the latest docker-image grafana/grafana:latest
(pulled at Friday, 05.04.2024, should be version 10.4.1).
Following the references, there seems to be a fix in upstream of goproxy:
It's possible to upgrade goproxy to address CVE-2023-37788? - I'll also monitor upcoming latest
tag-updates of grafana.
Edit: Issue still remains (tested today, 08.04.2024 with Images from Docker-Hub):
main
(pushed today, at Apr 8, 2024) has this vulnerability. latest
showing this vulnerability (which is from Mar 21, 2024) as well.@nikimanoledaki @usmangt - Any chance to provide an update for this issue or check the upgrade goproxy with the team to get rid of CVE-2023-37788? - Thanks a lot.
Update:
While checking on PRs related to go.mod, I found PR https://github.com/grafana/grafana/pull/86952, which contains:
github.com/elazarl/goproxy v0.0.0-20230731152917-f99041a5c027
From my understanding, this changed line/version-tag should cover the fix for this CVE.
@tonypowa - You handled an other CVE github issue some sec ago. May you can take a look here as well? 😇 (see my recent comment above). Thanks a lot.
We still see the vulnerability CVE-2023-37788 in package
github.com/elazarl/goproxy
using the latest docker-imagegrafana/grafana:latest
(pulled at Friday, 05.04.2024, should be version 10.4.1).Following the references, there seems to be a fix in upstream of goproxy:
- goproxy v1.1 was discovered to contain an issue which can lead to Denial of Service (DoS) via unspecified vectors elazarl/goproxy#502
- Added control for the nil request elazarl/goproxy#507
It's possible to upgrade goproxy to address CVE-2023-37788?
@vtorosyan / @kalleep - Maybe you can help / trigger the update of the goproxy version?
This was fixed in main last week and should make the next release.
https://github.com/grafana/grafana/commit/cd15e9732d2941568ec61e5870bed04d978a76f0
Update of comment: Current main tag from docker-hub still containing this CVE. I'll wait for the next release/image-update.
Tested with Grafana Version 11.2.0-185101
/ branch main
/ compiled 2024-06-26T18:42:02Z
What happened?
Security scanner found vulnerable goproxy package in grafana github.com/elazarl/goproxy-v0.0.0-20220115173737-adb46da277ac (fix: 0.0.0-20230731152917-f99041a5c027)(https://github.com/advisories/GHSA-4r8x-2p26-976p), Images: ['grafana']
PATH: /usr/share/grafana/bin/grafana
https://github.com/advisories/GHSA-4r8x-2p26-976p
What did you expect to happen?
goproxy version is 0.0.0-20230731152917-f99041a5c027 or later
Did this work before?
not applicable, this is security issue
How do we reproduce it?
Is the bug inside a dashboard panel?
No response
Environment (with versions)?
Grafana: OS: Browser:
Grafana platform?
Docker
Datasource(s)?
No response