search

grafana / grafana

The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
https://grafana.com
GNU Affero General Public License v3.0
61.46k stars 11.74k forks source link

Security vulnerability found in goproxy package in latest grafana GHSA-4r8x-2p26-976p/CVE-2023-37788 #74429

Open ahrycej opened 10 months ago

ahrycej commented 10 months ago

What happened?

Security scanner found vulnerable goproxy package in grafana github.com/elazarl/goproxy-v0.0.0-20220115173737-adb46da277ac (fix: 0.0.0-20230731152917-f99041a5c027)(https://github.com/advisories/GHSA-4r8x-2p26-976p), Images: ['grafana']

PATH: /usr/share/grafana/bin/grafana

https://github.com/advisories/GHSA-4r8x-2p26-976p

What did you expect to happen?

goproxy version is 0.0.0-20230731152917-f99041a5c027 or later

Did this work before?

not applicable, this is security issue

How do we reproduce it?

  1. run grype scan on latest grafana docker image

Is the bug inside a dashboard panel?

No response

Environment (with versions)?

Grafana: OS: Browser:

Grafana platform?

Docker

Datasource(s)?

No response

nikimanoledaki commented 9 months ago

Hi @ahrycej, in which version(s) of Grafana did you find CVE-2023-37788?

PR https://github.com/grafana/grafana/pull/73028 fixes this in Grafana version 10.1.1. Could you confirm that upgrading to this version closes this issue, please?

nqminhdl commented 8 months ago

Hi @nikimanoledaki

I have same issue @ahrycej

I did scan CVE on grafana 10.2.0 and find many CVEs.

snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana:10.2.0 

Testing grafana/grafana:10.2.0...

Organization:      nqminhdl
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana:10.2.0
Platform:          linux/arm64
Licenses:          enabled

✔ Tested 27 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing grafana/grafana:10.2.0...

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
  Introduced through: golang.org/x/net/http2@v0.14.0
  From: golang.org/x/net/http2@v0.14.0
  Fixed in: 0.17.0

✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583
  Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
  From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
  Fixed in: 0.44.0

✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109
  Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
  From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.42.0
  Fixed in: 0.44.0

✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPHTTPTRACEOTELHTTPTRACE-5971114
  Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.42.0
  From: go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace@v0.42.0
  Fixed in: 0.44.0

✗ High severity vulnerability found in github.com/elazarl/goproxy
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
  Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
  From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.0
Licenses:          enabled

Tested 1624 dependencies for known issues, found 5 issues.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana:10.2.0 --file=path/to/Dockerfile

Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.

To remove these messages in the future, please run `snyk config set disableSuggestions=true`

-------------------------------------------------------

Testing grafana/grafana:10.2.0...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-cli
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.0
Licenses:          enabled

✔ Tested 4 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing grafana/grafana:10.2.0...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-server
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.0
Licenses:          enabled

✔ Tested 4 dependencies for known issues, no vulnerable paths found.

Tested 4 projects, 1 contained vulnerable paths.

I did another scan with the latest digest pushed 3 days ago. Most of CVEs are gone but CVE-2023-37788 still persists.

snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3

Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...

Organization:      nqminhdl
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Platform:          linux/amd64
Base image:        alpine:3.18.4
Licenses:          enabled

✔ Tested 31 dependencies for known issues, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

-------------------------------------------------------

Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...

✗ High severity vulnerability found in github.com/elazarl/goproxy
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
  Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
  From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses:          enabled

Tested 1663 dependencies for known issues, found 1 issue.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3 --file=path/to/Dockerfile

Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.

To remove these messages in the future, please run `snyk config set disableSuggestions=true`

-------------------------------------------------------

Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-cli
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-server
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana@sha256:40ea64b8c7e7c53ad1f0b3d461a7a52e54b194b0c1e4f6d6f3165288379e26b3
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

Tested 4 projects, 1 contained vulnerable paths.
nqminhdl commented 7 months ago

Hi @nikimanoledaki

Do you have any ETA for CVE fix? Thanks

ahrycej commented 7 months ago

thank you @nqminhdl for fast testing, i did just now tests with 10.2.2 and can confirm that goproxy was updated to v0.0.0-20230731152917-f99041a5c027, also other weaknesses you listed are not present anymore however found new issue:

https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-8pgv-569h-w5rw go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 found in /usr/share/grafana/bin/grafana

Required version is 0.46.0

ahrycej commented 7 months ago

Simple question, is there possibility to have some security "channel" where security tests could be shared from various sec testers? I am considering testing every grafana release and give security recommendation to our development.

nqminhdl commented 7 months ago

Hi @nikimanoledaki

According to my latest test, I still can find this CVE.

I use Snyk CLI to test the CVE https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli

snyk test --severity-threshold=high --app-vulns --nested-jar-depth=0 --docker grafana/grafana:10.2.2                                                                                                        

Testing grafana/grafana:10.2.2...

✗ High severity vulnerability found in openssl/libcrypto3
  Description: CVE-2023-5363
  Info: https://security.snyk.io/vuln/SNYK-ALPINE318-OPENSSL-6032386
  Introduced through: openssl/libcrypto3@3.1.3-r0, apk-tools/apk-tools@2.14.0-r2, busybox/ssl_client@1.36.1-r2, ca-certificates/ca-certificates@20230506-r0, curl/curl@8.4.0-r0, openssl/libssl3@3.1.3-r0
  From: openssl/libcrypto3@3.1.3-r0
  From: apk-tools/apk-tools@2.14.0-r2 > openssl/libcrypto3@3.1.3-r0
  From: busybox/ssl_client@1.36.1-r2 > openssl/libcrypto3@3.1.3-r0
  and 7 more...
  Image layer: 'apk add --no-cache ca-certificates bash curl tzdata musl-utils'
  Fixed in: 3.1.4-r0

Organization:      nqminhdl
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana:10.2.2
Platform:          linux/amd64
Base image:        grafana/grafana:10.2.2
Licenses:          enabled

Tested 31 dependencies for known issues, found 1 issue.

According to our scan, you are currently using the most secure version of the selected base image

Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection

-------------------------------------------------------

Testing grafana/grafana:10.2.2...

✗ High severity vulnerability found in github.com/elazarl/goproxy
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247
  Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027
  From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.2
Licenses:          enabled

Tested 1680 dependencies for known issues, found 1 issue.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test grafana/grafana:10.2.2 --file=path/to/Dockerfile

Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information.

To remove these messages in the future, please run `snyk config set disableSuggestions=true`

-------------------------------------------------------

Testing grafana/grafana:10.2.2...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-cli
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.2
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing grafana/grafana:10.2.2...

Organization:      nqminhdl
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-server
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:10.2.2
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

Tested 4 projects, 2 contained vulnerable paths.

Simple question, is there possibility to have some security "channel" where security tests could be shared from various sec testers? I am considering testing every grafana release and give security recommendation to our development.

My company is using snyk to share CVE detected on docker images. You will receive emails once you has invited to the snyk project. Snyk also supports integration for notifications https://docs.snyk.io/integrate-with-snyk/notifications-ticketing-system-integrations/slack-app

ahrycej commented 7 months ago

the openssl vulnerability is not coming from grafana I think, it comes from the image

ahrycej commented 7 months ago

all go packages and dependencies that is coming from grafana. We cant use snyk we use different tools e.g. grype/syft and my question was to the grafana project if we could establish some dedicated security channel, I could test reguraly and give feedback.

ahrycej commented 7 months ago

We take rpm and build own docker image

cameronwaterman commented 7 months ago

Will the fix for this issue be back ported to a 9.X version?

AtleWebstep commented 4 months ago

Version 10.3.1 still have these in bin/grafana gomodules: ✗ High severity vulnerability found in github.com/mattn/go-sqlite3 Description: Heap-based Buffer Overflow Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMATTNGOSQLITE3-6139875 Introduced through: github.com/mattn/go-sqlite3@v1.14.16 From: github.com/mattn/go-sqlite3@v1.14.16 Fixed in: 1.14.18 ✗ High severity vulnerability found in github.com/elazarl/goproxy Description: Denial of Service (DoS) Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMELAZARLGOPROXY-5783247 Introduced through: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027 From: github.com/elazarl/goproxy@v0.0.0-20230731152917-f99041a5c027

ahrycej commented 4 months ago

Actually I also tested 10.3.1 and I find only https://github.com/advisories/GHSA-9763-4f94-gfch in github.com/cloudflare/circl-v1.3.3 fix available in 1.3.7

Second issue is not detected yet, but grafana has golang.org/x/crypto version 0.17.0

this package is impacted by terrapin attack, but I dont know if there is an impact for grafana, could somebody check? https://www.cvedetails.com/cve/CVE-2023-48795/ https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d I think it requires x/crypto v0.19.0

ahrycej commented 4 months ago

OK goproxy has no fix atm, that is why I did not see it,

rgoltz commented 2 months ago

We still see the vulnerability CVE-2023-37788 in package github.com/elazarl/goproxy using the latest docker-image grafana/grafana:latest (pulled at Friday, 05.04.2024, should be version 10.4.1).

Following the references, there seems to be a fix in upstream of goproxy:

It's possible to upgrade goproxy to address CVE-2023-37788? - I'll also monitor upcoming latest tag-updates of grafana.

Edit: Issue still remains (tested today, 08.04.2024 with Images from Docker-Hub):

rgoltz commented 2 months ago

@nikimanoledaki @usmangt - Any chance to provide an update for this issue or check the upgrade goproxy with the team to get rid of CVE-2023-37788? - Thanks a lot.

Update: While checking on PRs related to go.mod, I found PR https://github.com/grafana/grafana/pull/86952, which contains: github.com/elazarl/goproxy v0.0.0-20230731152917-f99041a5c027 From my understanding, this changed line/version-tag should cover the fix for this CVE.

rgoltz commented 1 month ago

@tonypowa - You handled an other CVE github issue some sec ago. May you can take a look here as well? 😇 (see my recent comment above). Thanks a lot.

rgoltz commented 3 weeks ago

We still see the vulnerability CVE-2023-37788 in package github.com/elazarl/goproxy using the latest docker-image grafana/grafana:latest (pulled at Friday, 05.04.2024, should be version 10.4.1).

Following the references, there seems to be a fix in upstream of goproxy:

It's possible to upgrade goproxy to address CVE-2023-37788?

@vtorosyan / @kalleep - Maybe you can help / trigger the update of the goproxy version?

simonc6372 commented 3 weeks ago

This was fixed in main last week and should make the next release.

https://github.com/grafana/grafana/commit/cd15e9732d2941568ec61e5870bed04d978a76f0

rgoltz commented 1 week ago

Update of comment: Current main tag from docker-hub still containing this CVE. I'll wait for the next release/image-update.

Tested with Grafana Version 11.2.0-185101 / branch main / compiled 2024-06-26T18:42:02Z