SUSE 5180 Published by

A grafana security update has been released for SUSE Linux Enterprise and openSUSE Leap 15.4.



SUSE-SU-2023:0362-1: moderate: Security update for grafana


SUSE Security Update: Security update for grafana
______________________________________________________________________________

Announcement ID: SUSE-SU-2023:0362-1
Rating: moderate
References: #1204302 #1204303 #1204304 #1204305 #1205225 #1205227
Cross-References: CVE-2022-31123 CVE-2022-31130 CVE-2022-39201 CVE-2022-39229 CVE-2022-39306 CVE-2022-39307
CVSS scores:
CVE-2022-31123 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-31123 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
CVE-2022-31130 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31130 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2022-39201 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-39201 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2022-39229 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVE-2022-39229 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVE-2022-39306 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE-2022-39306 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2022-39307 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-39307 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP Applications 15-SP4SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.3
openSUSE Leap 15.4
______________________________________________________________________________

An update that fixes 6 vulnerabilities is now available.
Description:

This update for grafana fixes the following issues:

- Version update from 8.5.13 to 8.5.15 (jsc#PED-2617):
* CVE-2022-39306: Security fix for privilege escalation (bsc#1205225) * CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
* CVE-2022-39201: Do not forward login cookie in outgoing requests (bsc#1204303)
* CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
* CVE-2022-31123: Fix plugin signature bypass (bsc#1204302) * CVE-2022-39229: Fix blocking other users from signing in (bsc#1204304)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:
- openSUSE Leap 15.4:

zypper in -t patch openSUSE-SLE-15.4-2023-362=1

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-362=1


Package List:

- openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

grafana-8.5.15-150200.3.32.1
grafana-debuginfo-8.5.15-150200.3.32.1

- SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x x86_64):

grafana-8.5.15-150200.3.32.1
grafana-debuginfo-8.5.15-150200.3.32.1

References:

  https://www.suse.com/security/cve/CVE-2022-31123.html
  https://www.suse.com/security/cve/CVE-2022-31130.html
  https://www.suse.com/security/cve/CVE-2022-39201.html
  https://www.suse.com/security/cve/CVE-2022-39229.html
  https://www.suse.com/security/cve/CVE-2022-39306.html
  https://www.suse.com/security/cve/CVE-2022-39307.html
  https://bugzilla.suse.com/1204302
  https://bugzilla.suse.com/1204303
  https://bugzilla.suse.com/1204304
  https://bugzilla.suse.com/1204305
  https://bugzilla.suse.com/1205225
  https://bugzilla.suse.com/1205227