修复Tidb Grafana CVE-2025-4123漏洞

修复Tidb Grafana CVE-2025-4123漏洞

𝓓𝓸𝓷 Lv6
  2025-05-26 16:27:35 2025-05-26 16:27:35 Created   2025-06-11 14:28:55 2025-06-11 14:28:55 Updated    

Grafana升级、Grafana打补丁、Grafana漏洞修复

一、CVE-2025-4123漏洞简介

https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/

Today we are releasing Grafana 12.0.0+security-01 as well as security patches for all supported versions of Grafana. These security releases contain a fix for CVE-2025-4123, a high severity cross-site scripting (XSS) vulnerability that allows attackers to redirect users to malicious websites.

We are publishing the security patches for CVE-2025-4123 one day ahead of schedule because we discovered that this vulnerability has been made public.

We will be releasing the regularly scheduled patch releases for Grafana 12.0 and all supported versions on Thursday, May 22. These patch releases will also include the fix for CVE-2025-4123.

Grafana 12.0.0+security-01, latest release with security patch:

Grafana 11.6.1+security-01 with security patch:

Grafana 11.5.4+security-01 with security patch:

Grafana 11.4.4+security-01 with security patch:

Grafana 11.3.6+security-01 with security patch:

Grafana 11.2.9+security-01 with security patch:

Grafana 10.4.18+security-01 with security patch:

Grafana Cloud instances are not impacted by this vulnerability.

We closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

二、Tidb监控组件升级

https://docs.pingcap.com/zh/tidb/dev/upgrade-monitoring-services/

​ 使用 TiUP 部署 TiDB 集群时,TiUP 会同时自动部署 Prometheus、Grafana 和 Alertmanager 等监控组件,并且在集群扩容中自动为新增节点添加监控配置。通过 TiUP 自动部署的监控组件并不是这些三方组件的最新版本,如果你需要使用最新的三方组件,可以按照本文的方法升级所需的监控组件

​ 当管理集群时,TiUP 会使用自己的配置参数覆盖监控组件的配置。如果你直接通过替换监控组件配置文件的方式升级监控组件,在之后对集群进行 deployscale-outscale-inreload 等 TiUP 操作时,该升级可能被 TiUP 所覆盖,导致升级出错。如果需要升级 Prometheus、Grafana 和 Alertmanager,请参考本文介绍的升级步骤,而不是直接替换配置文件

​ 总之一句话: Tidb自带的Prometheus、Grafana 和 Alertmanager 等监控组件都不是最新版,如果需要将这些监控组件升级到最新版需要按官方升级方式进行优雅升级,而不能采用直接替换监控组件配置文件的方式升级

注意:

  • 如果现有的监控组件是手动部署的,而不是由 TiUP 部署的,你可以直接升级监控组件,无需参考本文。
  • TiDB 并未对监控组件新版本的兼容性进行测试,可能存在升级后部分功能无法正常使用的问题。如果遇到问题,请在 GitHub 上提 issue 反馈。
  • 本文所述功能在 TiUP v1.9.0 及后续版本支持,使用本功能前请检查 TiUP 版本号。
  • 使用 TiUP 升级 TiDB 群集时,TiUP 会将监控组件重新部署为其默认版本。因此,你需要在升级 TiDB 后重新升级监控组件。

​ 为了更好地兼容 TiDB,推荐使用 TiDB 官方安装包中自带的 Grafana 组件安装包,该组件包中的 Grafana 版本是固定的。如果你需要使用更高版本的 Grafana,可以在 Grafana 官网的 Release Note 页面查看新版本特性,选择适合你生产环境的版本,或者咨询 PingCAP 技术支持服务寻求版本建议

在以下升级步骤中,你需要先从 Grafana 官网下载所需版本的软件安装包,然后将其构造为可被 TiUP 使用的 Grafana 组件安装包。

  • Grafana 官网下载页面下载组件安装包。你可以根据需要选择下载 OSS 版或 Enterprise

  • 解压下载的软件包

三、查看当前Tidb版本及Grafana版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[tidb@monitor ~]$ tiup cluster list

A new version of cluster is available: v1.16.1 -> v1.16.2

    To update this component:   tiup update cluster
    To update all components:   tiup update --all

Name          User  Version  Path                                                    PrivateKey
----          ----  -------  ----                                                    ----------
tidb-cluster  tidb  v8.3.0   /home/tidb/.tiup/storage/cluster/clusters/tidb-cluster  /home/tidb/.tiup/storage/cluster/clusters/tidb-cluster/ssh/id_rsa
 

[root@monitor ~]# cd /tidb/tidb-deploy/grafana-3000/bin/bin
[root@monitor bin]# ./grafana-cli -version
Grafana CLI version 7.5.17

四、下载Grafana官网新版本安装包

https://grafana.com/blog/2025/05/21/grafana-security-release-high-severity-security-fix-for-cve-2025-4123/

1.下载

The Enterprise Edition is the default and recommended edition. It includes all the features of the OSS Edition, can be used for free and can be upgraded to the full Enterprise feature set, including support for Enterprise plugins.

image-20250528175939905

2.解压
1
[root@monitor soft]# tar -xzf grafana-enterprise-12.0.1.linux-amd64.tar.gz

五、下载TiDB官方Grafana安装包

1.检查当前Tidb版本
1
2
3
4
5
6
7
8
9
10
[tidb@monitor ~]$ tiup cluster list

A new version of cluster is available: v1.16.1 -> v1.16.2

    To update this component:   tiup update cluster
    To update all components:   tiup update --all

Name          User  Version  Path                                                    PrivateKey
----          ----  -------  ----                                                    ----------
tidb-cluster  tidb  v8.3.0   /home/tidb/.tiup/storage/cluster/clusters/tidb-cluster  /home/tidb/.tiup/storage/cluster/clusters/tidb-cluster/ssh/id_rsa
2.下载Tidb

https://cn.pingcap.com/product-community/

image-20250528181834028

3.解压tidb-server包
1
2
3
4
5
6
7
8
[root@monitor soft]# tar xvf tidb-community-server-v8.3.0-linux-amd64.tar.gz

[root@monitor soft]# ll
total 1975344
-rw-r--r--  1 root root  192001649 May 23 04:58 grafana-enterprise-12.0.1.linux-amd64.tar.gz
drwxr-xr-x 11 root root       4096 May 28 18:18 grafana-v12.0.1
drwxr-xr-x  3 root root       4096 Aug 22  2024 tidb-community-server-v8.3.0-linux-amd64
-rw-r--r--  1 root root 1830727896 May 29 10:45 tidb-community-server-v8.3.0-linux-amd64.tar.gz
4.解压tidb-server包中的 Grafana包
1
2
3
4
[root@monitor soft]# mv tidb-community-server-v8.3.0-linux-amd64/grafana-v8.3.0-linux-amd64.tar.gz /soft

[root@monitor soft]# mkdir tidb-grafana
[root@monitor soft]# tar xvf grafana-v8.3.0-linux-amd64.tar.gz -C tidb-grafana

六、构造新的适用于 TiUP 的 Grafana 组件包

1.替换解压的文件

将Grafana官方解压的文件复制并替换掉Tidb官方Grafana解压的目录中相同的文件

1
[root@monitor soft]# rsync -avh grafana-v12.0.1/*   tidb-grafana
2.重新生成Grafana压缩文件

压缩替换文件后的目录,并将新的压缩包命名为 grafana-v{new-version}.tar.gz。其中,{new-version} 可以自行指定。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

使用下面正确的方式命令打包:
[root@1 ~]# cd tidb-grafana
[root@monitor tidb-grafana]# tar zcvf ../tidb-grafana.tar.gz ./


温馨提示:
千万不能使用下面命令打包,否则执行升级命令后会报错:
[root@monitor soft]# tar zcvf tidb-grafana-v12.0.1.tar.gz  tidb-grafana

[tidb@monitor ~]$ tiup cluster patch tidb-cluster /soft/tidb-grafana-v12.0.1.tar.gz -R grafana --overwrite

A new version of cluster is available: v1.16.1 → v1.16.2

To update this component:   tiup update cluster
To update all components:   tiup update --all
Will patch the cluster tidb-cluster with package path is /soft/tidb-grafana-v12.0.1.tar.gz, nodes: , roles: grafana.
Do you want to continue? [y/N]:(default=N) y

Error: entry bin/grafana-server not found in package /soft/tidb-grafana-v12.0.1.tar.gz

Verbose debug logs has been written to /home/tidb/.tiup/logs/tiup-cluster-debug-2025-05-29-14-51-13.log

七、升级 Grafana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
语法:
tiup cluster patch <cluster-name> grafana-v{new-version}.tar.gz -R grafana --overwrite

 
[root@monitor soft]# su - tidb

[tidb@monitor ~]$ tiup cluster patch tidb-cluster  /soft/tidb-grafana.tar.gz  -R grafana --overwrite

A new version of cluster is available: v1.16.1 -> v1.16.2

    To update this component:   tiup update cluster
    To update all components:   tiup update --all

Will patch the cluster tidb-cluster with package path is /soft/tidb-grafana.tar.gz, nodes: , roles: grafana.
Do you want to continue? [y/N]:(default=N) y
+ [ Serial ] - SSHKeySet: privateKey=/home/tidb/.tiup/storage/cluster/clusters/tidb-cluster/ssh/id_rsa, publicKey=/home/tidb/.tiup/storage/cluster/clusters/tidb-cluster/ssh/id_rsa.pub
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.184
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.181
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.182
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.186
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.180
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.180
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.180
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.183
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.188
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.189
+ [Parallel] - UserSSH: user=tidb, host=192.168.1.190
+ [ Serial ] - BackupComponent: component=grafana, currentVersion=v8.3.0, remote=192.168.1.180:/tidb/tidb-deploy/grafana-3000
+ [ Serial ] - InstallPackage: srcPath=/soft/tidb-grafana.tar.gz, remote=192.168.1.180:/tidb/tidb-deploy/grafana-3000
+ [ Serial ] - UpgradeCluster
Upgrading component grafana
        Restarting instance 192.168.1.180:3000
        Restart instance 192.168.1.180:3000 success
Stopping component node_exporter
        Stopping instance 192.168.1.180
        Stop 192.168.1.180 success
Stopping component blackbox_exporter
        Stopping instance 192.168.1.180
        Stop 192.168.1.180 success
Starting component node_exporter
        Starting instance 192.168.1.180
        Start 192.168.1.180 success
Starting component blackbox_exporter
        Starting instance 192.168.1.180
        Start 192.168.1.180 success
  • Title: 修复Tidb Grafana CVE-2025-4123漏洞
  • Author: 𝓓𝓸𝓷
  • Created at : 2025-05-26 16:27:35
  • Updated at : 2025-06-11 14:28:55
  • Link: https://www.zhangdong.me/grafana-cve-2025-4123.html
  • License: This work is licensed under CC BY-NC-SA 4.0.
推荐文章
Tidb dumpling备份 Tidb dumpling备份 Tidb lightning恢复 Tidb lightning恢复 Tidb dumpling备份脚本 Tidb dumpling备份脚本
推荐文章
Tidb dumpling备份 Tidb dumpling备份 Tidb lightning恢复 Tidb lightning恢复
评论
  1. 一、CVE-2025-4123漏洞简介
  2. 二、Tidb监控组件升级
  3. 三、查看当前Tidb版本及Grafana版本
  4. 四、下载Grafana官网新版本安装包
    1. 1.下载
    2. 2.解压
  5. 五、下载TiDB官方Grafana安装包
    1. 1.检查当前Tidb版本
    2. 2.下载Tidb
    3. 3.解压tidb-server包
    4. 4.解压tidb-server包中的 Grafana包
  6. 六、构造新的适用于 TiUP 的 Grafana 组件包
    1. 1.替换解压的文件
    2. 2.重新生成Grafana压缩文件
  7. 七、升级 Grafana