Hi Jeremy, You can find here <https://github.com/ceph/ceph/blob/master/monitoring/grafana/build/README.md> (thanks Sebastian for the link) how to build a custom Ceph-Grafana image. That said, I wouldn't be too worried (only) about these specific CVEs since the monitoring stack (Grafana-Prometheus) is resource intensive so: - With anonymous access (Grafana default), there are so many other ways to trigger a DDoS (complex PromQL queries to name a simple one) that you should definitely ensure that the monitoring stack is only reachable from within a trusted environment and never exposed to public networks. - Or you should disable anonymous mode and enable Grafana User Authentication <https://grafana.com/docs/grafana/latest/auth/> (e.g.: LDAP or Auth Proxy) and/or IP allowlist (more on Grafana securitization <https://grafana.com/docs/grafana/latest/administration/security/>). - Or rely on a secure reverse proxy (the k8s way). In any case, thank you for raising concern on those! We hope to move to Grafana 7.x/8.x soon (6.x doesn't fix all these CVEs and we still need to validate that the existing dashboards don't break with newer versions). Kind Regards, Ernesto On Thu, Jan 27, 2022 at 7:53 AM Jeremy Hansen <jeremy@xxxxxxxxxx> wrote: > Finally following up on this. I missed the replies. Thank you for this. > Is there any clues as to what image the original is derived from? I guess > I’m looking to see if there’s a drop in replacement that would get me > around these security alerts without having to build my own. > > FYI, this one gets flagged as well, which seems to affect the community > version: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27358 > > -jeremy > > > > On Tuesday, Jan 11, 2022 at 6:22 AM, Alfonso Martinez Hidalgo < > almartin@xxxxxxxxxx> wrote: > Hi Jeremy, > > Thanks for the heads up! > > I cannot open the provided links. > > AFAIK you can set a custom grafana image by running: > > ceph config set mgr mgr/cephadm/container_image_grafana <url-to-your-image> > > and then re-deploying the service. Plase see: > > https://docs.ceph.com/en/pacific/cephadm/services/monitoring/#using-custom-images > > Regards, > > On Tue, Jan 4, 2022 at 4:14 AM Jeremy Hansen <jeremy@xxxxxxxxxx> wrote: > >> I’m running 16.2.7 Pacific with Cephadm. Is there a way to upgrade an >> individual component without breaking orchestration? I’m just trying to >> clean up security issues and my scanner found problems with the version of >> Grafana Ceph deploys: >> >> CVE >> CVE-2021-28148 (https://gsa.la1.clx.corp/cve/CVE-2021-28148) >> >> CERT >> >> DFN-CERT-2021-1741 ( >> https://gsa.la1.clx.corp/dfncert/DFN-CERT-2021-1741)DFN-CERT-2021-1739 ( >> https://gsa.la1.clx.corp/dfncert/DFN-CERT-2021-1739)CB-K21/0293 ( >> https://gsa.la1.clx.corp/certbund/CB-K21%2F0293) >> >> Summary >> Grafana is prone to a denial of service (DoS) vulnerability. >> >> Detection Result >> Installed version: 6.7.4 Fixed version: 6.7.6 Installation path / port: / >> >> Thanks >> -jeremy >> >> _______________________________________________ >> ceph-users mailing list -- ceph-users@xxxxxxx >> To unsubscribe send an email to ceph-users-leave@xxxxxxx >> > > > -- > > Alfonso Martínez > > Senior Software Engineer, Ceph Storage > > Red Hat <https://www.redhat.com> > <https://red.ht/sig> > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |