In response to the amazing work by @j0v0x0 “Jordy Versmissen” from Detectify, the double-amazing Dutch Institute for Vulnerability Disclosure, known as DIVD CSIRT, contacted thousands of ISP/IP/Webmasters to resolve the issue.
This mitigation assists those who are on Ubuntu 18.04 20.04 etc., and used the .deb package to install Grafana.
This mitigation is GPLv2 and has ABSOLUTELY NO WARRANTY: your application may break.
apt update -y
apt upgrade -yIf after the above, your version remains the same and you cannot upgrade your Grafana, that means you may have installed it using the debian package and therefore have to manually update it, or add Grafan OSS repo as shown below to your Debian Sources.
For example:
grafana-server -v
# Version 8.0.5 (commit: cbb2aa5001, branch: HEAD)
apt update && apt upgrade -y
grafana-server -v
# Version 8.0.5 (commit: cbb2aa5001, branch: HEAD)Same version, right? 8.0.5 == 8.0.5
This means you may have used the .deb package to install Grafana.
You could go to Grafana.com and wget the latest .deb but you’ll have to do this every single time!
Thefore, the most secure option is to simply add the Grafana package repo:
apt install -y apt-transport-https
apt install -y software-properties-common wget
wget -q -O - https://packages.grafana.com/gpg.key | apt-key add -
tee /etc/apt/sources.list.d/grafana.list <<< "deb https://packages.grafana.com/oss/deb stable main"
apt update -y
apt install grafana -yNow let’s see if the newest version is available:
apt list | grep grafana
# WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
# grafana-enterprise/stable 7.0.0 amd64
# grafana/stable 8.3.4 amd64 [upgradable from: 8.0.5]This lets you jump from 8.0.5 to 8.3.4.
apt upgrade -yNow check the version:
grafana-server -v
# Version 8.3.4 (commit: a551d74b11, branch: HEAD)Done!
