Grafana Labs has released an important security update, and as you’re aware PMM uses Grafana internally. You’re probably curious whether this issue affects you. CVE-2018-19039 “File Exfiltration vulnerability Security fix” covers a recently discovered security flaw that allows any Grafana user with Editor or Admin permissions to have read access to the filesystem, performed with the same privileges as the Grafana process has.
We have good news: if you’re running PMM 1.10.0 or later (released April 2018), you’re not affected by this security issue.
The reason you’re not affected is an interesting one. CVE-2018-19039 relates to Grafana component PhantomJS, which Percona omitted when we changed how we build the version of Grafana embedded in Percona Monitoring and Management. We became aware of this via bug PMM-2837 when we discovered images do not render.
We fixed this image rendering issue in and applied the required security update in 1.17. This ensures PMM is not vulnerable to CVE-2018-19039.
Users of PMM who are running release 1.1.0 (February 2017) through 1.9.1 (April 2018) are advised to upgrade ASAP. If you cannot immediately upgrade, we advise that you take two steps:
- Convert all Grafana users to Viewer role
- Remove all Dashboards that contain text panels
How to Get PMM Server
PMM is available for installation using three methods:
- Docker Hub –
docker pull percona/pmm-server– Documentation - AWS Marketplace – Documentation
- Open Virtualization Format (OVF) – Documentation
