SUSE Security Update: Security update for grafana and system-user-grafana
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:1233-1
Rating:             moderate
References:         #1148383 #1170557 #1170657 #1172409 #1172450 
                    #1175951 #1178243 
Cross-References:   CVE-2018-18623 CVE-2019-15043 CVE-2019-19499
                    CVE-2020-12052 CVE-2020-12245 CVE-2020-13379
                    CVE-2020-24303
CVSS scores:
                    CVE-2018-18623 (NVD) : 6.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2018-18623 (SUSE): 6.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2019-15043 (NVD) : 7.5
 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-15043 (SUSE): 7.1
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
                    CVE-2019-19499 (NVD) : 6.5
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2019-19499 (SUSE): 6.5
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2020-12052 (NVD) : 6.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2020-12052 (SUSE): 6.4
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
                    CVE-2020-12245 (NVD) : 6.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2020-12245 (SUSE): 6.4
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
                    CVE-2020-13379 (NVD) : 8.2
 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
                    CVE-2020-13379 (SUSE): 7.5
 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2020-24303 (NVD) : 6.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2020-24303 (SUSE): 5.4
 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected Products:
                    SUSE Manager Tools 15
                    SUSE Enterprise Storage 6
______________________________________________________________________________

   An update that fixes 7 vulnerabilities is now available.

Description:

   This update for grafana and system-user-grafana fixes the following issues:

   - Updated grafana to upstream version 7.3.1
     * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the
       HTTP API allow unauthenticated use. This makes it possible to run a
       denial of service attack against the server running Grafana
     * CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via
       column.title or cellLinkTooltip (bsc#1170557)
     * CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has
       an SSRF Incorrect Access Control issue. This vulnerability allows any
       unauthenticated user/client to make Grafana send HTTP requests to any
       URL and return its result to the user/client. This can be used to gain
       information about the network that Grafana is running on. Furthermore,
       passing invalid URL objects could be used for DOS'ing Grafana via
       SegFault (bsc#1172409)
     * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the
       HTTP API allow unauthenticated use. This makes it possible to run a
       denial of service attack against the server running Grafana
       (bsc#1148383)
     * CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for
       annotation popup XSS (bsc#1170657)
     * CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query
       alias for the ElasticSearch datasource. (bsc#1178243)
     * CVE-2018-18623: Grafana 5.3.1 has XSS via the "Dashboard > Text
 Panel"
       screen (bsc#1172450)
     * CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an
       Arbitrary File Read vulnerability, which could be exploited by an
       authenticated attacker that has privileges to modify the data source
       configurations (bsc#1175951)

     * Please refer to this package's changelog to get a full list of all
       changes (including bug fixes etc.)

   - Initial shipment of system-user-grafana to SES 6


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
 methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 15:

      zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-1233=1

   - SUSE Enterprise Storage 6:

      zypper in -t patch SUSE-Storage-6-2021-1233=1



Package List:

   - SUSE Manager Tools 15 (noarch):

      system-user-grafana-1.0.0-3.9.1

   - SUSE Enterprise Storage 6 (aarch64 x86_64):

      grafana-7.3.1-3.6.1

   - SUSE Enterprise Storage 6 (noarch):

      system-user-grafana-1.0.0-3.9.1


References:

   https://www.suse.com/security/cve/CVE-2018-18623.html
   https://www.suse.com/security/cve/CVE-2019-15043.html
   https://www.suse.com/security/cve/CVE-2019-19499.html
   https://www.suse.com/security/cve/CVE-2020-12052.html
   https://www.suse.com/security/cve/CVE-2020-12245.html
   https://www.suse.com/security/cve/CVE-2020-13379.html
   https://www.suse.com/security/cve/CVE-2020-24303.html
   https://bugzilla.suse.com/1148383
   https://bugzilla.suse.com/1170557
   https://bugzilla.suse.com/1170657
   https://bugzilla.suse.com/1172409
   https://bugzilla.suse.com/1172450
   https://bugzilla.suse.com/1175951
   https://bugzilla.suse.com/1178243