grafana icon indicating copy to clipboard operation
grafana copied to clipboard

Published 20 hours ago verified publisher icon grafana

openssl CVE in grafana docker image

Open tooptoop4 opened this issue 2 years ago • 1 comments

https://www.trendmicro.com/en_us/research/22/j/openssl-critical-security-vulnerability-fix.html

tooptoop4 avatar Nov 01 '22 01:11 tooptoop4

I have validated by just rebuilding at the latests tag that it will have the fix for openssl If the release had waited till the release was done this morning it would have had it in it

gamethis avatar Nov 01 '22 22:11 gamethis

Hey @gamethis how did you check on this? To my understanding latest still uses openssl 3.0.5, which should be affected by this

EAlf91 avatar Nov 08 '22 07:11 EAlf91

We are also tracking this hoping for a new image with a remediated openssl.

larntz avatar Nov 08 '22 12:11 larntz

Hey @gamethis how did you check on this? To my understanding latest still uses openssl 3.0.5, which should be affected by this

@EAlf91 I verified that the latest public image had the openssl 3.0.5 in it as you said. then I pulled the repo, switched tot he latest release tag 9.2.3. Performed a docker build, validated that the openssl had updated to 3.0.7.

I have used the image in my infrastructure and validated all works well with the patched version of openssl in it.

I'm looking forward to the grafana team releasing a fixed official version hopefully soon.

gamethis avatar Nov 08 '22 13:11 gamethis

trivy image grafana/grafana -s CRITICAL,HIGH is clear this morning latest=9.2.4

joebowbeer avatar Nov 08 '22 16:11 joebowbeer