Grafana and sqlite vulnerability


#1

Hi all,
we are using grafana 5.3.2 docker image with sqlite persistence.
Due a question about the magellan remote code execution vulnerabiliy in sqlite I have to check which version of sqlite is grafana working on and if it’s using sqlite’s FTS3 feature.
I was not able to found these information: could you please address or tell me this informations?

I can see from go source that there is a go sqlite3 driver but I’m not able to found the related sqlite version.

–EDIT more precise data:
Affected sqlite versions are < 3.25.3 with FTSE extension enabled.

Thank you in advance.
Rob


#2

you need to ssh to the docker image after you run it and use the command line or look in the config file to find the sqlite version


#3

Thank you very much: I found that the docker image seems to inherit the debian stretch one, that is currently 3.16.x -> sqlite
3.16.2-5+deb9u1 (libsqlite)

But I’m not able to undestand if FTS3 extension is used, I will assume that current grafana docker image is vulnerable and try to update on my local docker image.
Thank you again for the help.
Kind regards,
Rob