‘With all good intentions, I had placed the Grafana team in a bit of a stressful situation,’ researcher admits
Open source data analytics and visualization platform Grafana is urging users to upgrade their deployments after a security researcher announced the discovery of a zero-day vulnerability on Twitter.
The high-severity path traversal flaw, CVE-2021-43798, lies in the URL for installed plugins, and could allow attackers to remotely access local files on the server.
It affects versions v8.0.0-beta1 to v8.3.0, with Grafana Cloud instances unaffected.
The company moved swiftly to fix the issue on December 3 – the same day it was reported – with a private customer release issued four days later and a public release set for December 14.
Those who are unable to update, says the company, should run a reverse proxy in front of Grafana that normalizes the PATH of the request to mitigate the problem.
Overly enthusiastic researcher
The vulnerability was first reported by security researcher Jordy Versmissen, who says that over-enthusiasm led him to share the news too soon.
“As this was the first high vulnerability I discovered, I couldn’t control my excitement and posted a Tweet about the fact that I had found a path traversal vulnerability in Grafana,” he explains.
“After a few days, I received notifications that other security researchers also found the vulnerability in Grafana’s codebase and they published a proof-of-concept on GitHub and Twitter. With all good intentions I had placed the Grafana team in a bit of a stressful situation.”
Grafana then moved to build eight releases, four private and four public, for every platform and deployment model it supports.
YOU MIGHT ALSO LIKE GOautodial vulnerabilities put call center network security on the line
“In total, we ended up releasing dozens and dozens of full artifacts within mere hours. Plus, we had some build failures during release,” says Grafana’s community director, Richard Hartmann.
“We will have a release engineering sprint within the next few weeks to allow us to seamlessly build private releases and to massively speed up overall release build speed.”
Hartman says that the company had already been working on establishing a bug bounty program, and should have it ready soon.
“While it will take us some more time to release [the program],” he says, “if we had it in place by last Friday, we would not have inadvertently created an incentive for Jordy to submit to other third parties.”