SUSE 5149 Published by

A grafana security update has been released for SUSE Linux Enterprise and openSUSE Leap 15.3/15.4.



SUSE-SU-2022:4428-1: important: Security update for grafana


SUSE Security Update: Security update for grafana
______________________________________________________________________________

Announcement ID: SUSE-SU-2022:4428-1
Rating: important
References: #1188571 #1189520 #1192383 #1192763 #1193492 #1193686 #1199810 #1201535 #1201539 #1203596 #1203597 PED-2145
Cross-References: CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244 CVE-2021-43798 CVE-2021-43813 CVE-2021-43815 CVE-2022-29170 CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
CVSS scores:
CVE-2021-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-3711 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-3711 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41174 (NVD) : 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
CVE-2021-41174 (SUSE): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
CVE-2021-41244 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41244 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-43798 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-43798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-43815 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-43815 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-29170 (NVD) : 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CVE-2022-29170 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
CVE-2022-31097 (NVD) : 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2022-35957 (NVD) : 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-35957 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-36062 (NVD) : 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVE-2022-36062 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP4SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4
______________________________________________________________________________

An update that fixes 12 vulnerabilities, contains one
feature is now available.

Description:

This update for grafana fixes the following issues:

Version update from 8.3.10 to 8.5.13 (jsc#PED-2145):

- Security fixes:
* CVE-2022-36062: (bsc#1203596)
* CVE-2022-35957: (bsc#1203597)
* CVE-2022-31107: (bsc#1201539)
* CVE-2022-31097: (bsc#1201535)
* CVE-2022-29170: (bsc#1199810)
* CVE-2021-43813, CVE-2021-43815: (bsc#1193686)
* CVE-2021-43798: (bsc#1193492)
* CVE-2021-41244: (bsc#1192763)
* CVE-2021-41174: (bsc#1192383)
* CVE-2021-3711: (bsc#1189520)
* CVE-2021-36222: (bsc#1188571)

- Features and enhancements:
* AccessControl: Disable user remove and user update roles when they donot have the permissions
* AccessControl: Provisioning for teams
* Alerting: Add custom grouping to Alert Panel
* Alerting: Add safeguard for migrations that might cause dataloss * Alerting: AlertingProxy to elevate permissions for request forwarded to data proxy when RBAC enabled
* Alerting: Grafana uses > instead of >= when checking the For duration* Alerting: Move slow queries in the scheduler to another goroutine * Alerting: Remove disabled flag for data source when migrating alerts * Alerting: Show notification tab of legacy alerting only to editor * Alerting: Update migration to migrate only alerts that belon to existing org\dashboard
* Alerting: Use expanded labels in dashboard annotations * Alerting: Use time.Ticker instead of alerting.Ticker in ngalert * Analytics: Add user id tracking to google analytics
* Angular: Add AngularJS plugin support deprecation plan to docs site * API: Add usage stats preview endpoint
* API: Extract OpenAPI specification from source code using go-swagger * Auth: implement auto_sign_up for auth.jwt
* Azure monitor Logs: Optimize data fetching in resource picker * Azure Monitor Logs: Order subscriptions in resource picker by name * Azure Monitor: Include datasource ref when interpolating variables. * AzureMonitor: Add support for not equals and startsWith operators when
creating Azure Metrics dimension filters.
* AzureMonitor: Do not quote variables when a custom "All" variable option is used
* AzureMonitor: Filter list of resources by resourceType * AzureMonitor: Update allowed namespaces
* BarChart: color by field, x time field, bar radius, label skipping * Chore: Implement OpenTelemetry in Grafana
* Cloud Monitoring: Adds metric type to Metric drop down options * CloudMonitor: Correctly encode default project response * CloudWatch: Add all ElastiCache Redis Metrics
* CloudWatch: Add Data Lifecycle Manager metrics and dimension * CloudWatch: Add Missing Elasticache Host-level metrics * CloudWatch: Add multi-value template variable support for log group names in logs query builder
* CloudWatch: Add new AWS/ES metrics. #43034, @sunker
* Cloudwatch: Add support for AWS/PrivateLink* metrics and dimensions * Cloudwatch: Add support for new AWS/RDS EBS* metrics * Cloudwatch: Add syntax highlighting and autocomplete for "Metric Search"
* Cloudwatch: Add template variable query function for listing log groups
* Configuration: Add ability to customize okta login button name and icon
* Elasticsearch: Add deprecation notice for < 7.10 versions. * Explore: Support custom display label for exemplar links for Prometheus datasource
* Hotkeys: Make time range absolute/permanent
* InfluxDB: Use backend for influxDB by default via feature toggle * Legend: Use correct unit for percent and count calculations * Logs: Escape windows newline into single newline
* Loki: Add unpack to autocomplete suggestions
* Loki: Use millisecond steps in Grafana 8.5.x.
* Playlists: Enable sharing direct links to playlists
* Plugins: Allow using both Function and Class components for app plugins
* Plugins: Expose emotion/react to plugins to prevent load failures * Plugins: Introduce HTTP 207 Multi Status response to api/ds/query * Rendering: Add support for renderer token
* Setting: Support configuring feature toggles with bools instead of just passing an array
* SQLStore: Prevent concurrent migrations
* SSE: Add Mode to drop NaN/Inf/Null in Reduction operations * Tempo: Switch out Select with AsyncSelect component to get loading state in Tempo Search
* TimeSeries: Add migration for Graph panel's transform series override* TimeSeries: Add support for negative Y and constant transform * TimeSeries: Preserve null/undefined values when performing negative ytransform
* Traces: Filter by service/span name and operation in Tempo and Jaeger* Transformations: Add 'JSON' field type to ConvertFieldTypeTransformer* Transformations: Add an All Unique Values Reducer
* Transformers: avoid error when the ExtractFields source field is missing

- Breaking changes:
* For a data source query made via /api/ds/query:
+ If the DatasourceQueryMultiStatus feature is enabled and the data source response has an error set as part of the DataResponse, the resulting HTTP status code is now '207 Multi Status' instead of '400
Bad gateway'
+ If the DatasourceQueryMultiStatus feature is not enabled and the data source response has an error set as part of the DataResponse, the resulting HTTP status code is '400 BadRequest' (no breaking change)
* For a proxied request, e.g. Grafana's datasource or plugin proxy: + If the request is cancelled, e.g. from the browser/by the client, the HTTP status code is now '499 Client closed' request instead of 502 Bad gateway If the request times out, e.g. takes longer time than allowed, the HTTP status code is now '504 Gateway timeout' instead of '502 Bad gateway'.
+ The change in behavior is that negative-valued series are now stacked downwards from 0 (in their own stacks), rather than downwards from the top of the positive stacks. We now automaticallygroup stacks by Draw style, Line interpolation, and Bar alignment, making it impossible to stack bars on top of lines, or smooth lineson top of stepped lines
+ The meaning of the default data source has now changed from being apersisted property in a panel. Before when you selected the defaultdata source for a panel and later changed the default data source to
another data source it would change all panels who were configured to use the default data source. From now on the default data source
is just the default for new panels and changing the default will not
impact any currently saved dashboards
+ The Tooltip component provided by @grafana/ui is no longer automatically interactive (that is you can hover onto it and click a
link or select text). It will from now on by default close automatically when you mouse out from the trigger element. To make tooltips behave like before set the new interactive property to true.

- Deprecations:
* /api/tsdb/query API has been deprecated, please use /api/ds/query instead
* AngularJS plugin support is now in a deprecated state. The documentation site has an article with more details on why, when, andhow

- Bug fixes:
* Alerting: Add contact points provisioning API
* Alerting: add field for custom slack endpoint
* Alerting: Add resolved count to notification title when both firing and resolved present
* Alerting: Alert rule should wait For duration when execution error state is Alerting
* Alerting: Allow disabling override timings for notification policies * Alerting: Allow serving images from custom url path
* Alerting: Apply Custom Headers to datasource queries * Alerting: Classic conditions can now display multiple values * Alerting: correctly show all alerts in a folder
* Alerting: Display query from grafana-managed alert rules on /api/v1/rules
* Alerting: Do not overwrite existing alert rule condition * Alerting: Enhance support for arbitrary group names in managed alerts* Alerting: Fix access to alerts for viewer with editor permissions when
RBAC is disabled
* Alerting: Fix anonymous access to alerting
* Alerting: Fix migrations by making send_alerts_to field nullable * Alerting: Fix RBAC actions for notification policies * Alerting: Fix use of > instead of >= when checking the For duration * Alerting: Remove double quotes from matchers
* API: Include userId, orgId, uname in request logging middleware * Auth: Guarantee consistency of signed SigV4 headers
* Azure Monitor : Adding json formatting of error messages in Panel Header Corner and Inspect Error Tab
* Azure Monitor: Add 2 more Curated Dashboards for VM Insights * Azure Monitor: Bug Fix for incorrect variable cascading for template variables
* Azure Monitor: Fix space character encoding for metrics query link toAzure Portal
* Azure Monitor: Fixes broken log queries that use workspace * Azure Monitor: Small bug fixes for Resource Picker
* AzureAd Oauth: Fix strictMode to reject users without an assigned role
* AzureMonitor: Fixes metric definition for Azure Storage queue/file/blob/table resources
* Cloudwatch : Fixed reseting metric name when changing namespace in Metric Query
* CloudWatch: Added missing MemoryDB Namespace metrics * CloudWatch: Fix MetricName resetting on Namespace change. * Cloudwatch: Fix template variables in variable queries. * CloudWatch: Fix variable query tag migration
* CloudWatch: Handle new error codes for MetricInsights * CloudWatch: List all metrics properly in SQL autocomplete * CloudWatch: Prevent log groups from being removed on query change * CloudWatch: Remove error message when using multi-valued template vars
in region field
* CloudWatch: Run query on blur in logs query field
* CloudWatch: Use default http client from aws-sdk-go
* Dashboard: Fix dashboard update permission check
* Dashboard: Fixes random scrolling on time range change * Dashboard: Template variables are now correctly persisted when clicking breadcrumb links
* DashboardExport: Fix exporting and importing dashboards where query data source ended up as incorrect
* DashboardPage: Remember scroll position when coming back panel edit /view panel
* Dashboards: Fixes repeating by row and no refresh
* Dashboards: Show changes in save dialog
* DataSource: Default data source is no longer a persisted state but just the default data source for new panels
* DataSourcePlugin API: Allow queries import when changing data source type
* Elasticsearch: Respect maxConcurrentShardRequests datasource setting * Explore: Allow users to save Explore state to a new panel in a new dashboard
* Explore: Avoid locking timepicker when range is inverted. * Explore: Fix closing split pane when logs panel is used * Explore: Prevent direct access to explore if disabled via feature toggle
* Explore: Remove return to panel button
* FileUpload: clicking the Upload file button now opens their modal correctly
* Gauge: Fixes blank viz when data link exists and orientation was horizontal
* GrafanaUI: Fix color of links in error Tooltips in light theme * Histogram Panel: Take decimal into consideration
* InfluxDB: Fixes invalid no data alerts. #48295, @yesoreyeram * Instrumentation: Fix HTTP request instrumentation of authentication failures
* Instrumentation: Make backend plugin metrics endpoints available withoptional authentication
* Instrumentation: Proxy status code correction and various improvements
* LibraryPanels: Fix library panels not connecting properly in importeddashboards
* LibraryPanels: Prevent long descriptions and names from obscuring thedelete button
* Logger: Use specified format for file logger
* Logging: Introduce feature toggle to activate gokit/log format * Logs: Handle missing fields in dataframes better
* Loki: Improve unpack parser handling
* ManageDashboards: Fix error when deleting all dashboards from folder view
* Middleware: Fix IPv6 host parsing in CSRF check
* Navigation: Prevent navbar briefly showing on login
* NewsPanel: Add support for Atom feeds. #45390, @kaydelaney * OAuth: Fix parsing of ID token if header contains non-string value * Panel Edit: Options search now works correctly when a logarithmic scale option is set
* Panel Edit: Visualization search now works correctly with special characters
* Plugins Catalog: Fix styling of hyperlinks
* Plugins: Add deprecation notice for /api/tsdb/query endpoint * Plugins: Adding support for traceID field to accept variables * Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios * Postgres: Return tables with hyphenated schemes
* PostgreSQL: __unixEpochGroup to support arithmetic expression as argument
* Profile/Help: Expose option to disable profile section and help menu * Prometheus: Enable new visual query builder by default * Provisioning: Fix duplicate validation when multiple organizations have been configured inserted
* RBAC: Fix Anonymous Editors missing dashboard controls * RolePicker: Fix menu position on smaller screens
* SAML: Allow disabling of SAML signups
* Search: Sort results correctly when using postgres
* Security: Fixes minor code scanning security warnings in old vendoredjavascript libs
* Table panel: Fix horizontal scrolling when pagination is enabled * Table panel: Show datalinks for cell display modes JSON View and Gauge
derivates
* Table: Fix filter crashes table
* Table: New pagination option
* TablePanel: Add cell inspect option
* TablePanel: Do not prefix columns with frame name if multipleframes and override active
* TagsInput: Fix tags remove button accessibility issues * Tempo / Trace Viewer: Support Span Links in Trace Viewer * Tempo: Download span references in data inspector
* Tempo: Separate trace to logs and loki search datasource config * TextPanel: Sanitize after markdown has been rendered to html * TimeRange: Fixes updating time range from url and browser history * TimeSeries: Fix detection & rendering of sparse datapoints * Timeseries: Fix outside range stale state
* TimeSeries: Properly stack series with missing datapoints * TimeSeries: Sort tooltip values based on raw values
* Tooltip: Fix links not legible in Tooltips when using light theme * Tooltip: Sort decimals using standard numeric compare * Trace View: Show number of child spans
* Transformations: Support escaped characters in key-value pair parsing* Transforms: Labels to fields, fix label picker layout * Variables: Ensure variables in query params are correctly recognised * Variables: Fix crash when changing query variable datasource * Variables: Fixes issue with data source variables not updating queries
with variable
* Visualizations: Stack negative-valued series downwards
- Plugin development fixes:
* Card: Increase clickable area when meta items are present. * ClipboardButton: Use a fallback when the Clipboard API is unavailable* Loki: Fix operator description propup from being shortened. * OAuth: Add setting to skip org assignment for external users * Tooltips: Make tooltips non interactive by default
* Tracing: Add option to map tag names to log label names in trace to logs settings

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:

zypper in -t patch openSUSE-SLE-15.4-2022-4428=1

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-4428=1

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-4428=1


Package List:

- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

grafana-8.5.13-150200.3.29.5
grafana-debuginfo-8.5.13-150200.3.29.5

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

grafana-8.5.13-150200.3.29.5
grafana-debuginfo-8.5.13-150200.3.29.5

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x x86_64):

grafana-8.5.13-150200.3.29.5

References:

  https://www.suse.com/security/cve/CVE-2021-36222.html
  https://www.suse.com/security/cve/CVE-2021-3711.html
  https://www.suse.com/security/cve/CVE-2021-41174.html
  https://www.suse.com/security/cve/CVE-2021-41244.html
  https://www.suse.com/security/cve/CVE-2021-43798.html
  https://www.suse.com/security/cve/CVE-2021-43813.html
  https://www.suse.com/security/cve/CVE-2021-43815.html
  https://www.suse.com/security/cve/CVE-2022-29170.html
  https://www.suse.com/security/cve/CVE-2022-31097.html
  https://www.suse.com/security/cve/CVE-2022-31107.html
  https://www.suse.com/security/cve/CVE-2022-35957.html
  https://www.suse.com/security/cve/CVE-2022-36062.html
  https://bugzilla.suse.com/1188571
  https://bugzilla.suse.com/1189520
  https://bugzilla.suse.com/1192383
  https://bugzilla.suse.com/1192763
  https://bugzilla.suse.com/1193492
  https://bugzilla.suse.com/1193686
  https://bugzilla.suse.com/1199810
  https://bugzilla.suse.com/1201535
  https://bugzilla.suse.com/1201539
  https://bugzilla.suse.com/1203596
  https://bugzilla.suse.com/1203597