Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2273.2 GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6 12 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition GitLab Enterprise Edition Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-6678 CVE-2023-6489 CVE-2024-2279 Original Bulletin: https://about.gitlab.com/releases/2024/04/10/patch-release-gitlab-16-10-2-released/ Comment: CVSS (Max): 8.7 CVE-2024-2279 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) CVSS Source: GitLab Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Revision History: April 12 2024: Edit Publisher and Product Name April 12 2024: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Apr 10, 2024 - Greg Alfaro GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6 Learn more about GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Today we are releasing versions 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here. For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Security fixes Table of security fixes Title Severity Stored XSS injected in diff viewer High Stored XSS via autocomplete results High Redos on Integrations Chat Messages Medium Redos During Parse Junit Test Report Medium Stored XSS injected in diff viewer An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-3092. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. Stored XSS via autocomplete results An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-2279. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. Redos on Integrations Chat Messages A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-6489. Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program. Redos During Parse Junit Test Report An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-6678. Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program. Bug fixes 16.10.2 o Quarantine flaky atomic processing ResetSkippedJobsService specs o Fix include_optional_metrics_in_service_ping during migration to 16.10 o Use alpine:latest instead of alpine:edge in CI images [16.10] o [16.10] Backport Delete callback should use namespace_id o [16.10] Backport handle null owner when indexing projects o Backport Zoekt: Retry indexing if too many requests to 16.10 o Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148596 o Fix URL validator for mirror services when using localhost o Backport !148105 into 16.10 o Cherry-pick 'fix-omnibus-gitconfig-deprecation' into '16-10-stable' 16.9.4 o Quarantine flaky atomic processing ResetSkippedJobsService specs o Use alpine:latest instead of alpine:edge in CI images [16.9] 16.8.6 o Quarantine flaky atomic processing ResetSkippedJobsService specs o Use alpine:latest instead of alpine:edge in CI images [16.8] Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================