Running VIP Authentication Hub 3.2.1, the vulnerability CVE-2024-24791 has been discovered in the Grafana component:
Vulnerability used for assessment: CVE-2024-24791
Attack requirements: Remotely unauthenticated without any user interaction
Affected Software:
GrafanaProblem description:
A vulnerability has been fixed in Grafana. It allows an unauthenticated remote attacker to cause a denial of service.Technical information:
This vulnerability is due to a flaw in handling the case where a server responds to a request with an "Expect: 100-continue" header and a non-informational (200 or higher) status by the "net/http HTTP/1.1" client. It allows a remote unauthenticated attacker, by sending "Expect: 100-continue" requests to a "net/http/httputil.ReverseProxy" proxy, to cause a denial of service by leaving the client connection in an invalid state.
As Grafana is part of Enclave Services, and not the SSP core images, it's our Customer's responsibility to update and maintain these images.
More, we're not certifying such patches, and we are providing out-of-the-box support for Elastic & Prometheus as a courtesy to our Customers, who can use such open source in lower environments as pretty much every enterprise has their own observability stack.
The choice of Elastic & Prometheus is a good one, as this pretty much guarantees interoperability with the broader observability tool set such as Splunk, Dynatrace, sysdig, etc.
However, the responsibility for upgrading such stacks is our Customers one, given the VIP Authentication Hub documentation states certified release levels.
Some guidance to upgrade the Grafana component are available from our KD base (1).