Grafana releases security patch after exploit for severe bug goes public
Grafana Labs has released an emergency security update today to patch a critical vulnerability after security researchers released proof-of-concept code to exploit the issue over the weekend.
The vulnerability, tracked as CVE-2021-43798, impacts the company’s main product, the Grafana dashboard, used by companies across the globe to monitor and aggregate logs and other parameters from across their local or remote networks.
Described as a path traversal attack, the vulnerability can allow an attacker to read files outside the Grafana application’s folder.
For example, an attacker can abuse Grafana plugin URLs to escape the Grafana app folder and gain access to files stored on the underlying server, such as files storing passwords and configuration settings—details that the attacker could weaponize in subsequent attacks.
All Grafana self-hosted servers running 8.x versions of the software are considered vulnerable.
The issue was patched today with the release of Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7. In its patch notes, Grafana Labs said that its cloud-hosted Grafana dashboards were not impacted by this vulnerability, which benefited from additional security protections.
Grafana did say in its statement that it was aware of the issue since last week, when it initially received a bug report, but was eventually forced into releasing an emergency patch earlier today after proof-of-concept code to exploit the bug was published online.
Several security researchers also claimed online today that the issue was being actively exploited in real-world attacks, but it was unclear if the exploitation was being done by bug bounty hunters or by malicious entities.
The Record could not confirm the nature of these exploitation attempts with independent third parties. There are currently between 3,000 and 5,000 Grafana servers exposed online, almost all exclusively used to monitor large corporate networks.