-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.4197
    GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4
                             13 December 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab Runner
Publisher:         GitLab
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-44717 CVE-2021-39947 CVE-2021-39939

Original Bulletin: 
   https://about.gitlab.com/releases/2021/12/10/security-release-gitlab-runner-14-5-2-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

Dec 10, 2021 - Vitor Meireles De Sousa  

GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4

Today we are releasing versions 14.5.2, 14.4.2, and 14.3.4 for GitLab Runner.

These versions contain important security fixes and we strongly recommend that
all GitLab Runner installations for both GitLab.com and self-managed instances
be upgraded to one of them immediately. This critical security release is for
two security vulnerabilities that have been assigned a CVSS with medium
severity, but that have a critical impact on GitLab.com users.

GitLab.com Shared Runners are already running the patched version.

We estimate that the number of self-managed GitLab Runner installations
vulnerable to these exploits to be small due to a very specific combination of
settings required to take advantage of this vulnerability. Even so, again: we
strongly recommend that all GitLab Runner installations be upgraded to one of
these versions immediately.

We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.

Table of Fixes

                                Title                                  Severity
Specially crafted docker images can exhaust resources on managers      medium
Golang vulnerability CVE-2021-44717: don't close fd 0 on ForkExec      medium
error

Specially crafted docker images can exhaust resources on managers

An uncontrolled resource consumption vulnerability in GitLab Runner affecting
all versions starting from 13.7 before 14.3.4, all versions starting from 14.4
before 14.4.2, all versions starting from 14.5 before 14.5.2, allows an
attacker triggering a job with a specially crafted docker image to exhaust
resources on a runner manager. This is a medium severity issue (CVSS:3.0/AV:N/
AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release
and is assigned CVE-2021-39939.

This vulnerability was discovered internally by the GitLab team.

Temporary workaround

A temporary workaround, in cases when GitLab Runner can't be updated
immediately, would be to disable the FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR
feature flag in Runner's config.toml configuration file. This will turn off the
vulnerable feature and make it impossible for users to turn it on from the job
level.

 1. Open the config.toml file of the Runner that you want to update.

 2. In each [[runners]] section add:

     [runners.feature_flags]
       FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR = false

 3. Save the file and exit.

After that, the runner's process should detect the change and start applying
the configuration within a minute. For this configuration change, restarting
the GitLab Runner process is not required.

Golang vulnerability CVE-2021-44717: don't close fd 0 on ForkExec error

All previous versions of GitLab Runner were susceptible to Golang security
issue CVE-2021-44717: don't close fd 0 on ForkExec error, which could result in
misdirected I/O such as writing network traffic intended for one connection to
a different connection, or content intended for one file to a different one.
This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N,
5.3). It is now mitigated in the latest release and is assigned CVE-2021-39947.

This vulnerability was discovered internally by the GitLab team.

Temporary workaround

A temporary workaround, in cases when GitLab Runner can't be updated
immediately, would be to increase the file descriptor limit set for the runner
process. However, this is dependent on how it's specifically configured and
deployed.

Please keep in mind that updating the file descriptors limit requires
restarting the runner process. To do that without interrupting any running jobs
one should send a SIGQUIT signal to the runner process. This will initiate a
graceful shutdown, during which the runner will not accept any new jobs but
will finish all the jobs that were already started before exiting.

The ability to determine the best value for the file descriptors limit will
vary depending on the load that the runners are handling and their specific
configuration. Setting the limit at 50 for each potential job that can run
concurrently on the runner manager is a good starting point. However, to find
the best value we highly recommend monitoring the runner process and the number
of file descriptors that it uses and adjust as needed depending on the specific
needs.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, find your
installation method and steps for updating here.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYbaYxONLKJtyKPYoAQjkxA/7BvBzuuIYYl1Lr2Z+RoMdWEZlzu5y9mLM
utjX4FcIIkUatNFTyerGSKU954qDl61NnqFtebLLggdpMOwiMSVYuPWvxCRXw3Gf
UtYJHZfg8OlWCC1AatIY0vJtwGbzmb4mthK+DzqmGpHtVs09BSjYd9eFpezWlxu9
KvfqJ02VrGoOqEWL7j+WKmbPI3xqRgsPXU8IZvGLj8eOubqVwgo2eXZTachciZZ+
lmWr8sMDcPUK5jSooU8YdVOZAoXpnh84V0kmTBXsaGbqSsdW4pfGHl7OxqEfxOBQ
Ld0AuKLwsma6OhK+4LarxFQRN+/QkrZkp4G0gIPF6deLl9ABA0EkkwQE3nfAeuf6
vrOc0fF2rPNR2e/TetfDM3vxm+LLZ2cqV40b3RX3Pqfp+VTFl/UIOtXWlNpNFMiO
+JXc3grrR/J+pOujLrJYHRheTsukMnKkeTyl0k4yG59QYA3/eQpCkgxBmXi/ZmPn
Br7KCB+Aa1ke9WZCeG3kvqg88YdngVtG2Fze2RPhELEEXCvmc6FxvvYi1/6K7u/4
FQElLCwF9OUKqp0knhIwXcBJwFEw8hphCzKwDc5tx1cytYYQx9VPneqN8E8SnVip
vzmDWZjJV0Hgd+457cQCfs6AT+AHFBXXlxXtYSKWo2zds+//EJJi0g9fHJ0N4HcY
NtMcL3VZQ9A=
=jPWg
-----END PGP SIGNATURE-----