sexigraf 0.99h : vulnerability moderate on Grafana software (CVE-2022-24812 Grafana Enterprise fine-grained access control API Key privilege escalation : https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v), need to update it

[etrescol]

Hello,

Recently our PCI-DSS auditor conducted audit scans on the associated PCI-DSS perimeter. Sexigraf is part of the PCI-DSS perimeter and several vulnerabilities on the Sexigraf component have been reported to us. The vulnerabilities are described in the attached document.

In summary three topics: 1) Can we update the Grafana software from the current version 8.4.4 to version 9.0.1? It's important to know if we can update the current version of Grafana because our auditor ask us to update the Grafana software and if not why it's not possible to do it Reference of the associated CVE : CVE-2022-24812 Grafana Enterprise fine-grained access control API Key privilege escalation : https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v 2) The access on the netdata module is possible in direct on the port 19999 (http://<fqdn sexigraf>:19999/#menu_apps_submenu_vfs;after=0;before=0;theme=slate;utc=Europe/Paris) without authentication, can we secure and add an authentication? 3) Can we block the use of the http protocol not encrypted on ports 80 and 19999?

Thank you for your analysis and yours answsers. For information, if it’s not possible to do something we need to argue about it.

Regards.

Emmanuel 22H_5147_Q_ODIGO-TII-Vx-Sexigraf - v0.1.xls

[rschitz]

Hi,

1/ i'll check and let you know 2/ it should only listen to 127.0.0.1 and be served by the reserve proxy so something must have been changed in the configuration. i'll check and let you know 3/ sure, you can redirect 80 to 443 in the apache configuration (19999 should not be served directly anyway)

[rschitz]

@etrescol can you ask if 8.4.10 would do because some changes have been made since 8.5 and i need more time to test and fix the things that doesnt work because of this.

[etrescol]

Hello,

1/

Our auditor asks us to update Grafana from the current version 8.4.4 hosted on Sexigraf 0.99h to the last available version 9.0.1. But the auditor associates the vulnerability to the CVE CVE-2022-24812: Grafana Enterprise fine-grained access control API Key privilege escalationhttps://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v (see attached file). So for me, if we follow the CVE-2022-28412 on above github link or also on this link https://nvd.nist.gov/vuln/detail/CVE-2022-24812 we even can use the proposed patched version.

2/ I let you see

3/

Can we make the update on the apache configuration to redirect 80 to 443 ?

Thank you.

Emmanuel

[etrescol]

Hello,

Did you get any news on the three points ?

Emmanuel

[rschitz]

Could you contact me on plot [at] sexigraf.fr so i can share the ova?

[etrescol]

Hello, What do you mean by plot on sexigraf.fr ? And for your information on CVE-2022-24812: Grafana Enterprise fine-grained access control API Key privilege escalation (https://github.com/grafana/grafana/security/advisories/GHSA-82gq-xfg3-5j7v) and the impact "The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned", we do not use this feature so for us it's not applicable. Emmanuel

[rschitz]

Hi, i meant an email plot[at]sexigraf.fr (replace [at] by @, this is to avoid spam robots) indeed we use grafana OSS, not Enterprise so we are NOT affected by those vulns

[rschitz]

@etrescol any news?

[etrescol]

Bonjour,

Nous n'avons pas encore mis à jour sexigraf avec l'ova fournie mais cela va être fait.

Emmanuel

[rschitz]

Bonjour, Vous pouvez tester la derniere version qui corrige tous les points sités plus haut.