USN-6243-1: Graphite-Web vulnerabilities

Releases

• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• graphite-web - A highly scalable real-time graphing system

Details

It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
server-side request forgery and obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)

It was discovered that Graphite-Web incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to perform
cross site scripting and obtain sensitive information. (CVE-2022-4728,
CVE-2022-4729, CVE-2022-4730)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.04

• graphite-web - 1.1.8-1ubuntu0.22.04.1

Ubuntu 20.04

• graphite-web - 1.1.4-5ubuntu0.1

Ubuntu 18.04

• graphite-web - 1.0.2+debian-2ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• graphite-web - 0.9.15+debian-1ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 14.04

• graphite-web - 0.9.12+debian-3ubuntu0.1~esm2
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2022-4730
• CVE-2017-18638
• CVE-2022-4728
• CVE-2022-4729