Security update for grafana

SUSE Security Update: Security update for grafana
Announcement ID: SUSE-SU-2022:3676-1
Rating: important
References: #1188571 #1189520 #1192383 #1192763 #1193492 #1193686 #1194873 #1195726 #1195727 #1195728 #1201535 #1201539 #1203596 #1203597
Cross-References:CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244 CVE-2021-43798 CVE-2021-43815 CVE-2022-21673 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
Affected Products:
  • SUSE Enterprise Storage 6

An update that fixes 14 vulnerabilities, contains four features is now available.

Description:

This update for grafana fixes the following issues:
Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565):

  • CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation (bsc#1203596).
  • CVE-2022-35957: Fixed escalation from admin to server admin when auth proxy is used (bsc#1203597).
  • CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
  • CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
  • CVE-2022-21702: Fixed XSS vulnerability in handling data sources (bsc#1195726).
  • CVE-2022-21703: Fixed cross-origin request forgery vulnerability (bsc#1195727).
  • CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728).
  • CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was found (bsc#1194873).
  • CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
  • CVE-2021-41244: Fixed incorrect access control vulnerability(bsc#1192763).
  • CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL (bsc#1192383).
  • CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
  • CVE-2021-36222: Fixed a null pointer dereference in the KDC (bsc#1188571).
  • CVE-2021-43798: Fixed arbitrary file read in the graph native plugin (bsc#1193492).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Enterprise Storage 6:
    zypper in -t patch SUSE-Storage-6-2022-3676=1

Package List:

  • SUSE Enterprise Storage 6 (aarch64 x86_64):
    • grafana-8.5.13-150100.3.12.1
    • grafana-debuginfo-8.5.13-150100.3.12.1

References: