CVE-2022-28660
📋 TL;DR
This vulnerability allows unauthenticated access to Grafana Enterprise Logs querier component when X-Scope-OrgID header is used, bypassing authentication requirements. It affects Grafana Enterprise Logs versions 1.1.x through 1.3.x before 1.4.0 when configured with -auth.type=enterprise in microservices mode. Organizations using these vulnerable configurations are at risk of unauthorized access to log data.
💻 Affected Systems
- Grafana Enterprise Logs
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to log data, potentially exposing sensitive information, manipulating logs, or disrupting logging operations across the entire enterprise.
Likely Case
Unauthorized users access and exfiltrate sensitive log data containing PII, credentials, or business intelligence without authentication.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to unauthorized read access within isolated logging segments.
🎯 Exploit Status
Exploitation requires sending HTTP requests with X-Scope-OrgID header to querier endpoints without authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.1, 1.3.1, or 1.4.0
Vendor Advisory: https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022
Restart Required: Yes
Instructions:
1. Upgrade Grafana Enterprise Logs to version 1.2.1, 1.3.1, or 1.4.0. 2. Restart all Grafana Enterprise Logs services. 3. Verify authentication is now required for querier endpoints.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to Grafana Enterprise Logs querier endpoints using firewall rules
iptables -A INPUT -p tcp --dport [GEL_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [GEL_PORT] -j DROP
Authentication Proxy
allPlace an authentication proxy in front of Grafana Enterprise Logs querier endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Grafana Enterprise Logs from untrusted networks
- Deploy a web application firewall (WAF) to block unauthenticated requests to querier endpoints
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to querier endpoint with X-Scope-OrgID header without authentication. If request succeeds, system is vulnerable.Check Version:
grafana-enterprise-logs --versionVerify Fix Applied:
Attempt same unauthenticated request after patch. Should receive authentication error (401/403).📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /loki/api/v1/query* endpoints
- Requests with X-Scope-OrgID header from unauthorized sources
- High volume of log queries from single IP
Network Indicators:
- HTTP traffic to querier ports without authentication headers
- Unusual query patterns or data exfiltration
SIEM Query:
source="grafana-logs" AND (http_status=200 AND NOT auth_token=*) AND uri_path="/loki/api/v1/query*"