I appreciate the detailed response. It’s not a huge concern. Nothing is externally facing. It’s just more about making those red flags disappear from my scanner reports. Thanks! -jeremy > On Thursday, Jan 27, 2022 at 3:27 AM, Ernesto Puerta <epuertat@xxxxxxxxxx (mailto:epuertat@xxxxxxxxxx)> wrote: > Hi Jeremy, > > You can find here > <https://github.com/ceph/ceph/blob/master/monitoring/grafana/build/README.md> > (thanks Sebastian for the link) how to build a custom Ceph-Grafana image. > > That said, I wouldn't be too worried (only) about these specific CVEs since > the monitoring stack (Grafana-Prometheus) is resource intensive so: > > - With anonymous access (Grafana default), there are so many other ways > to trigger a DDoS (complex PromQL queries to name a simple one) that you > should definitely ensure that the monitoring stack is only reachable from > within a trusted environment and never exposed to public networks. > - Or you should disable anonymous mode and enable Grafana User > Authentication <https://grafana.com/docs/grafana/latest/auth/> (e.g.: > LDAP or Auth Proxy) and/or IP allowlist (more on Grafana securitization > <https://grafana.com/docs/grafana/latest/administration/security/>). > - Or rely on a secure reverse proxy (the k8s way). > > In any case, thank you for raising concern on those! We hope to move to > Grafana 7.x/8.x soon (6.x doesn't fix all these CVEs and we still need to > validate that the existing dashboards don't break with newer versions). > > Kind Regards, > Ernesto > > > On Thu, Jan 27, 2022 at 7:53 AM Jeremy Hansen <jeremy@xxxxxxxxxx> wrote: > > > Finally following up on this. I missed the replies. Thank you for this. > > Is there any clues as to what image the original is derived from? I guess > > I’m looking to see if there’s a drop in replacement that would get me > > around these security alerts without having to build my own. > > > > FYI, this one gets flagged as well, which seems to affect the community > > version: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27358 > > > > -jeremy > > > > > > > > On Tuesday, Jan 11, 2022 at 6:22 AM, Alfonso Martinez Hidalgo < > > almartin@xxxxxxxxxx> wrote: > > Hi Jeremy, > > > > Thanks for the heads up! > > > > I cannot open the provided links. > > > > AFAIK you can set a custom grafana image by running: > > > > ceph config set mgr mgr/cephadm/container_image_grafana <url-to-your-image> > > > > and then re-deploying the service. Plase see: > > > > https://docs.ceph.com/en/pacific/cephadm/services/monitoring/#using-custom-images > > > > Regards, > > > > On Tue, Jan 4, 2022 at 4:14 AM Jeremy Hansen <jeremy@xxxxxxxxxx> wrote: > > > > > I’m running 16.2.7 Pacific with Cephadm. Is there a way to upgrade an > > > individual component without breaking orchestration? I’m just trying to > > > clean up security issues and my scanner found problems with the version of > > > Grafana Ceph deploys: > > > > > > CVE > > > CVE-2021-28148 (https://gsa.la1.clx.corp/cve/CVE-2021-28148) > > > > > > CERT > > > > > > DFN-CERT-2021-1741 ( > > > https://gsa.la1.clx.corp/dfncert/DFN-CERT-2021-1741)DFN-CERT-2021-1739 ( > > > https://gsa.la1.clx.corp/dfncert/DFN-CERT-2021-1739)CB-K21/0293 ( > > > https://gsa.la1.clx.corp/certbund/CB-K21%2F0293) > > > > > > Summary > > > Grafana is prone to a denial of service (DoS) vulnerability. > > > > > > Detection Result > > > Installed version: 6.7.4 Fixed version: 6.7.6 Installation path / port: / > > > > > > Thanks > > > -jeremy > > > > > > _______________________________________________ > > > ceph-users mailing list -- ceph-users@xxxxxxx > > > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > > > > > > > > -- > > > > Alfonso Martínez > > > > Senior Software Engineer, Ceph Storage > > > > Red Hat <https://www.redhat.com> > > <https://red.ht/sig> > > > > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
