Red Hat Product Errata RHSA-2023:5866 - Security Advisory
Issued:
2023-10-18
Updated:
2023-10-18

RHSA-2023:5866 - Security Advisory

Synopsis

Moderate: grafana security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for grafana is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
  • grafana: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
x86_64
grafana-7.5.11-6.el9_0.x86_64.rpm SHA-256: 192b74e680c696f6eaa9bcaca71bb86772a510ee40c5546649c8d8ff50906d81
grafana-debuginfo-7.5.11-6.el9_0.x86_64.rpm SHA-256: 6306a3e762f1ed29133e96e151a6d24c1c2a8be48338f2642d11ed9446cec98a

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
s390x
grafana-7.5.11-6.el9_0.s390x.rpm SHA-256: 9afedc9950bca53771a33b80825c5752db5ae9a2e765e5ea6afaa21d1a1c5d96
grafana-debuginfo-7.5.11-6.el9_0.s390x.rpm SHA-256: f599beaaee3ef0260daab596c60204ab476ff210d762fe9d1f15e835267edef9

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
ppc64le
grafana-7.5.11-6.el9_0.ppc64le.rpm SHA-256: 97aab86c004649124294e3acd2262f32c1a6be7b93a39c22751d832aa6566d12
grafana-debuginfo-7.5.11-6.el9_0.ppc64le.rpm SHA-256: 74f424365c271e71a5265e1b66fdefbcd06a96c448155392fe492f75490392c1

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
aarch64
grafana-7.5.11-6.el9_0.aarch64.rpm SHA-256: d975d3878894560b78e53749e6429f392bc62bd0467f55d4800053ffa4c4ac06
grafana-debuginfo-7.5.11-6.el9_0.aarch64.rpm SHA-256: 99a22f148b95c11d06dcc71d77e3eaafc5deb2d9a9192daffb1ba3d45db98dae

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
ppc64le
grafana-7.5.11-6.el9_0.ppc64le.rpm SHA-256: 97aab86c004649124294e3acd2262f32c1a6be7b93a39c22751d832aa6566d12
grafana-debuginfo-7.5.11-6.el9_0.ppc64le.rpm SHA-256: 74f424365c271e71a5265e1b66fdefbcd06a96c448155392fe492f75490392c1

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
x86_64
grafana-7.5.11-6.el9_0.x86_64.rpm SHA-256: 192b74e680c696f6eaa9bcaca71bb86772a510ee40c5546649c8d8ff50906d81
grafana-debuginfo-7.5.11-6.el9_0.x86_64.rpm SHA-256: 6306a3e762f1ed29133e96e151a6d24c1c2a8be48338f2642d11ed9446cec98a

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
aarch64
grafana-7.5.11-6.el9_0.aarch64.rpm SHA-256: d975d3878894560b78e53749e6429f392bc62bd0467f55d4800053ffa4c4ac06
grafana-debuginfo-7.5.11-6.el9_0.aarch64.rpm SHA-256: 99a22f148b95c11d06dcc71d77e3eaafc5deb2d9a9192daffb1ba3d45db98dae

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0

SRPM
grafana-7.5.11-6.el9_0.src.rpm SHA-256: 60978d26578c65bb78b09d0131276ceba6a872f5bd8c7d55f37d364eded251e2
s390x
grafana-7.5.11-6.el9_0.s390x.rpm SHA-256: 9afedc9950bca53771a33b80825c5752db5ae9a2e765e5ea6afaa21d1a1c5d96
grafana-debuginfo-7.5.11-6.el9_0.s390x.rpm SHA-256: f599beaaee3ef0260daab596c60204ab476ff210d762fe9d1f15e835267edef9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.