#Upgrade Grafana seperately from NaBox.

Hi All,

Grafana released a security patch for a critical vulnerability CVE-2023-3128.
The fix is contained in version 8.5.27 ( current version is 8.5.15).
Is there a way to upgrade Grafana seperately from the whole Nabox setup?

https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/
https://nvd.nist.gov/vuln/detail/CVE-2023-3128

Is seems this CVE is only valid when using Azure AD, which we don't. The security office at my company still insists of upgrading grafana.

Thanks!

Upgrade Grafana seperately from NaBox.

@shrewd bronze thanks for raising awareness to the Harvest community on this CVE. Let's see what @kind island says about upgrading Grafana on Nabox.

I don't see anything on the nabox doc site about upgrading, but since Grafana is running as a container, if you ssh into nabox you can move grafana to a new version like so:

ssh into nabox
Edit this file
/usr/local/nabox/docker-compose/docker-compose.yaml

Change this line
image: grafana/grafana-oss:8.5.22
to
image: grafana/grafana-oss:8.5.27

Save chnage
at the shell type
dc up -d
The new version will be pulled and everything restarted

Indeed the CVE is only for Azure OAUTH. You should be able to upgrade grafana container by changing the version number in docker compose file and run dc up -d

Would that affect internal SSO activated Harvest instances?

only if teams have enabled Azure OAUTH for their Grafana instance(s). This CVE isn't about Harvest, but Grafana

Ok that makes sense. Thanks.

Thanks everyone. I will need to look into how we pull a new image without an internet connection 🙂