Last Updated on 09/12/2021 by Sunaina
Grafana Labs issued an emergency security update today to address a severe vulnerability discovered over the weekend by security researchers who published proof-of-concept code to exploit the flaw.
The vulnerability, CVE-2021-43798, affects the company’s core product, the Grafana dashboard, which is used by businesses all over the world to monitor and aggregate logs and other metrics from their local or distant networks.
The vulnerability, dubbed a path traversal attack, allows an attacker to view files outside of the Grafana application’s folder.
An attacker, for example, can utilize Grafana plugin URLs to bypass the Grafana app folder and obtain access to files stored on the underlying server, such as files containing passwords and configuration settings—details that the attacker could use in further assaults. Grafana self-hosted servers running the 8.x version of the software are all vulnerable.
Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released today to address the issue. Grafana Labs said in its patch notes that this issue did not affect its cloud-hosted Grafana dashboards, which benefited from extra security safeguards.
The Record learned earlier today that similar code was being posted on Twitter and GitHub. We contacted the corporation, which sent a security update a few hours later.
Grafana did claim in a statement that it has been aware of the problem since last week, when it first got a bug complaint, but was compelled to provide an emergency fix earlier today after proof-of-concept code to exploit the defect was released online.
Several security experts also claimed online today that the flaw was being actively exploited in real-world assaults, however it was unclear if the exploitation was being carried out by bug bounty seekers or malevolent actors.
The nature of these exploitation efforts could not be confirmed by independent third parties, according to the Record. There are presently between 3,000 and 5,000 Grafana servers available online, virtually all of which are utilised to monitor major business networks.