The widely-used DevOps platform GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE).
The vulnerability was reported for a number of versions of GitLab CE/EE:
- all versions starting from 11.3.4 before 15.1.5
- all versions starting from 15.2 before 15.2.3
- all versions starting from 15.3 before 15.3.1
Affected versions allow an authenticated user to pass arbitrary commands remotely by exploiting the import from the GitHub API endpoint. The remote command execution (RCE) vulnerability has been recorded as CVE-2022-2884 and rated a 9.9 — just 0.1 from the highest severity level.
GitLab is a hugely popular open core platform, with 30 million registered users. It allows dev teams to host and manage Git repositories remotely. It also provides DevOps features like CI/CD pipelines for automated deployment (GitLab Runner).
Also read: CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers
GitLab Instances Must Be Patched Immediately
GitLab.com has already been patched, but users can install, administer, and maintain their own instance that still requires patching. If you run a vulnerable installation, you should upgrade to 15.3.1, 15.2.3, or 15.1.5 as soon as possible. GitLab provides helpful guides to help you update your instance.
For those who can’t upgrade immediately, the only workaround is to disable GitHub as an import source under Menu > Admin > Settings > General > Visibility and access controls. GitLab recommends that its users test the workaround by creating a new project to ensure “GitHub” is no longer available in the import options.
RCE vulnerabilities are critical flaws that allow hackers to inject malicious instructions to break into the targeted systems. When such vulnerabilities are disclosed publicly, cybercriminals usually exploit them actively, so fixes must be applied quickly.
Further reading:
