Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0182 GitLab Critical Security Release: 11.0.4, 10.8.6, and 10.7.7 20 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Operating System: Windows Linux variants Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Modify Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-14364 Member content until: Sunday, August 19 2018 OVERVIEW A vulnerability has been discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) prior to versions 11.0.4, 10.8.6, and 10.7.7. [1] IMPACT The vendor has provided the following information regarding the vulnerability: "The GitLab projects import component contained a vulnerability which allowed an attacker to write files to arbitrary directories on the server and that could result in remote code execution. The vulnerability has now been mitigated and is assigned to CVE-2018-14364. Thanks to @nyangawa of Chaitin Tech for responsibly reporting this vulnerability to us." [1] MITIGATION GitLab versions 11.0.4, 10.8.6, and 10.7.7 have been released which address this vulnerability. Additionally, the vendor has provided the following workaround: "Additional Workarounds Go to /admin/application_settings of your GitLab instance. Under "Import sources", uncheck the "GitLab export" checkbox. Click Save." [1] REFERENCES [1] GitLab Critical Security Release: 11.0.4, 10.8.6, and 10.7.7 https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW1E/PWaOgq3Tt24GAQhfHg/9GIBeH6sjmbAIFHNy6EDe4FOOn0rg/qBi 7rHjTtpn2GteM9HuqW/kzGpG9xqyF8t+qwDujtNmh1OnvjPK8Y1IETqcaOxvK8vG pVdSOHrV3725lG2FJ6+QLG//rZ9d/w1wXF9CgdCAk+YC07WhB+uAgWSsFwD5KmtH NCmkwpPHjg7pRPce1jWOX4ff4oJG37HJtlaN430PBTb0rxrP9gGCdEX8WlFA7WIh nna+4+RSzfptM1WwZTXcuoHDV7KSTXXXA3R8K5LlasBrZzu21g1+Bvvnow5NZzYL u7FoIChD5uNxUrSxKflI/4uTMnFYqIigxWeSt/ATc8ow7eZy8/Om0iSFVyb9PKff yq1y19PGVHf1XWiS4tQV6jm/qVYxXvtZgRy2D7GEGS0mAkrLckjksfm6/iwFXQ7w pdwPfY3d4dQB518NIumN1uYrGmS0Xn2rUKB72JDYXozuRH5m53R1Duur/XACvWXy usgJ5Kq9Kpb+Y+VDkogJ0lSh7aM+8I7ZJfl29BbwUDj7AuEUctw2E3+IjyQ7xpSJ ySd+4251It0cpY4ahVrz4FQvKJVoTEfhPLaQ0fJIct/uAPFdzUJ7W0mAjO9gOG0Q X3bXShbPJZVvltiaXeMRG8o6qHZORHxLisKAn1Zkryfc5n40pCSqV9V7VRrde9uH k4I6HpnqJY0= =nhCs -----END PGP SIGNATURE-----