Headline
Update now! GitLab issues critical security release for RCE vulnerability
Categories: Exploits and vulnerabilities Categories: News Tags: GitLab
Tags: RCE
Tags: CVE-2022-2884
Tags: GitHub
Tags: import
GitLab has released important security fixes to patch for an RCE vulnerability, known as CVE-2022-2884.
(Read more…)
The post Update now! GitLab issues critical security release for RCE vulnerability appeared first on Malwarebytes Labs.
GitLab has released versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and it’s recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab
GitLab and GitHub are open-source code repository platforms allowing anyone to collaborate on projects. GitLab focuses on providing tools for teams working on software development projects (repositories), while GitHub focuses more on managing the workflow of individual developers and organizations. The name GitLab was chosen because it combines GitHub and Lighthouse (the company that develops the source code management system).
GitLab has millions of users worldwide. Since no specific deployment type (omnibus, source code, helm chart, etc.) is mentioned in the release, this means all types are affected.
RCE vulnerability
The main reason to apply this security update as soon as possible is CVE-2022-2884, a Remote Command Execution (RCE) vulnerability in Github import. The vulnerability’s severity was given a CVSS score of 9.9 out of 10.
The vulnerability in GitLab CE/EE affects all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1. The flaw allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. By making use of this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.
Mitigation
Users are advised to upgrade to the latest security release for their supported version. To update GitLab, see the GitLab update page.
If you’re unable to update right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.
Disable GitHub import
Login using an administrator account to your GitLab installation and perform the following:
- Click “Menu” -> "Admin".
- Click “Settings” -> "General".
- Expand the “Visibility and access controls” tab.
- Under “Import sources” disable the “GitHub” option.
- Click "Save changes".
Verifying the workaround
- In a browser window, login as any user.
- Click “+” on the top bar.
- Click "New project/repository".
- Click "Import project".
- Verify that “GitHub” does not appear as an import option.
Related news
A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint
Data importation mechanism failed to sanitize imports
DevOps platform GitLab this week issued patches to address a critical security flaw in its software that could lead to arbitrary code execution on affected systems. Tracked as CVE-2022-2884, the issue is rated 9.9 on the CVSS vulnerability scoring system and impacts all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, 15.2 before 15.2.3,
Update now to protect against security vulnerability