Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0048 Moderate: grafana security and bug fix update 4 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: grafana Publisher: Red Hat Operating System: Red Hat Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-15727 Reference: ESB-2018.3897 ESB-2018.2608 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:0019 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: grafana security and bug fix update Advisory ID: RHSA-2019:0019-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2019:0019 Issue date: 2019-01-03 CVE Names: CVE-2018-15727 ===================================================================== 1. Summary: The updated grafana package is now available for Red Hat Ceph Storage 3.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Ceph Storage 3.2 Tools - x86_64 3. Description: The grafana package provides the Grafana metrics dashboard and graph editor. Security Fix(es): * grafana: authentication bypass knowing only a username of an LDAP or OAuth user (CVE-2018-15727) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The grafana package has been upgraded to upstream version 5.2.4., which includes a number of bug fixes (BZ#1647494) * Shrinking the cluster size no longer causes the Red Hat Ceph Storage Dashboard to display the error message Templating init failed (BZ#1653273) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1624088 - CVE-2018-15727 grafana: authentication bypass knowing only a username of an LDAP or OAuth user 1633825 - Add ceph FS support in ceph metrics 1647494 - Update grafana to latest for security fixes 1647496 - Remove golang dependency from grafana 1652427 - [ceph-metrics]Change password is not working 1653273 - Metrics dashboard is throwing "Templating init failed" error after rerunning metrics playbook 6. Package List: Red Hat Ceph Storage 3.2 Tools: Source: grafana-5.2.4-1.el7cp.src.rpm x86_64: grafana-5.2.4-1.el7cp.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-15727 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXC5KJdzjgjWX9erEAQgxMxAAiFfYtrxvJlnPJiTV9TeKNe+Mf20OVHJJ 4v8RwDawhocT+U6qmvAyATlLIi38mrBT2JX9K+RQVXOCR+lr/0umkyU9qVizSoCQ 9zlKBfdCdw0Ot4zcRYO+pHw9eOjL1JzsxGBAPuU6i9qkN0SBi/BkxT/tXJ0vlqjR N9p6nYfyoA7UDmfLtppGfqu87lZkLXYKICf+2By6XJ48a510oOTRTxvxAQV+2cGn 3oXZroZk+MEgNFggz4Vq9tA2evpNzmOqicub2LBnruD2BKlp14kAbsHWtfVCbNXp GeWwsFGfVleY4ww3v8pW357lWDVsMMtyHDgGxFQAv1e+aHE3aCDj3z+R4iwUczeM DohgkyMz5oyfiIJCigV9mzyYAlPN/JCJJyxJlp0/2hOR2lyWeeoGych5Ih3NnBkV tlS5RdHNQfNKgoYX+xNoyT//A4SctpcknLZckN8TgNCAk4sjoN9b2jyGObB1xXaZ O5m3dF7zgWZO92T4SchklueiVk1Wj1GcMxb9dTApQrTBLPVwkOJpOoRD2goXkAhE S3SYYRU1KdJjO6lpG55oR52P42v7HG8b26KNwiqBBMtTaMepjQ8LUcG8d56e8yV2 nQhqlxDMuBgEacr5awuXy4iHmlTyNx06CqlHMLpBoz/UCqULK1A9F8HeBr/Orpm6 tvGLVZbg0yo= =hmTs - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXC6g0GaOgq3Tt24GAQhRaA/8DK0GOJFc+WfmY9dSicck47oc2ZW10BHr l8gge6cDCzP0vt+VxLTtyirmCkFjxboraV7GBAhJOccNUcRFBnbtcYc8UQ8FJcbP thC1W2FU4jFMtOQbNVn0PF/AUoN8bx/d3VzynKMNtB6NtvBtVWARn2AVzwqvfe8D ETg1EKFE3WO0a/ABV22gH//drahAieW8eo18LWw8pGm8SwToZJ8s9ljkbvCel7Ky 1t6hNQLFM51IM5u8usUrkEtxQjg2Ayxw9M7cSA/rBgsxmXjpGHH/DQ5iEw8zXj/k uh8KVw+nWfTMWLMmGl31OnPT2u3LuOIJpm/1df+t5eMMuK+WdPU8OgwCb6MhQqXP 9WsJT2AaiKlJBkjRCPn6X1y1pezII/kPclC3EM2CkRMOteKshWHiHSpmz7FBRRh9 zJBobwLlOMwTgn5brz8kO8pEdOdINfnnbfNPw6F+Ovl4itggrk1ltc/p2Ft9Fzrk QSGCFfz3zewK0kt1g4JYZZdqHK+aDe9eXjV2u0KzkzFBW9KEEIPwRL8kYqWvSOO3 EjImPJ/VVwC/gsUPTSXMUHfMuZJ500ScLFfv/Z9OMUAAHydY0A80JR+VjuAZdp57 HdJNIkhLV+2uZu+xXeBwoR1+xIm4iSVInuliDKG2OpEHlzC4tU/H0N8aeSSFdIVx Y2RR28PdN+k= =kY1/ -----END PGP SIGNATURE-----