Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4197 GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4 13 December 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Runner Publisher: GitLab Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-44717 CVE-2021-39947 CVE-2021-39939 Original Bulletin: https://about.gitlab.com/releases/2021/12/10/security-release-gitlab-runner-14-5-2-released/ - --------------------------BEGIN INCLUDED TEXT-------------------- Dec 10, 2021 - Vitor Meireles De Sousa GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4 Today we are releasing versions 14.5.2, 14.4.2, and 14.3.4 for GitLab Runner. These versions contain important security fixes and we strongly recommend that all GitLab Runner installations for both GitLab.com and self-managed instances be upgraded to one of them immediately. This critical security release is for two security vulnerabilities that have been assigned a CVSS with medium severity, but that have a critical impact on GitLab.com users. GitLab.com Shared Runners are already running the patched version. We estimate that the number of self-managed GitLab Runner installations vulnerable to these exploits to be small due to a very specific combination of settings required to take advantage of this vulnerability. Even so, again: we strongly recommend that all GitLab Runner installations be upgraded to one of these versions immediately. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. Table of Fixes Title Severity Specially crafted docker images can exhaust resources on managers medium Golang vulnerability CVE-2021-44717: don't close fd 0 on ForkExec medium error Specially crafted docker images can exhaust resources on managers An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.4, all versions starting from 14.4 before 14.4.2, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on a runner manager. This is a medium severity issue (CVSS:3.0/AV:N/ AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39939. This vulnerability was discovered internally by the GitLab team. Temporary workaround A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to disable the FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR feature flag in Runner's config.toml configuration file. This will turn off the vulnerable feature and make it impossible for users to turn it on from the job level. 1. Open the config.toml file of the Runner that you want to update. 2. In each [[runners]] section add: [runners.feature_flags] FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR = false 3. Save the file and exit. After that, the runner's process should detect the change and start applying the configuration within a minute. For this configuration change, restarting the GitLab Runner process is not required. Golang vulnerability CVE-2021-44717: don't close fd 0 on ForkExec error All previous versions of GitLab Runner were susceptible to Golang security issue CVE-2021-44717: don't close fd 0 on ForkExec error, which could result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39947. This vulnerability was discovered internally by the GitLab team. Temporary workaround A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to increase the file descriptor limit set for the runner process. However, this is dependent on how it's specifically configured and deployed. Please keep in mind that updating the file descriptors limit requires restarting the runner process. To do that without interrupting any running jobs one should send a SIGQUIT signal to the runner process. This will initiate a graceful shutdown, during which the runner will not accept any new jobs but will finish all the jobs that were already started before exiting. The ability to determine the best value for the file descriptors limit will vary depending on the load that the runners are handling and their specific configuration. Setting the limit at 50 for each potential job that can run concurrently on the runner manager is a good starting point. However, to find the best value we highly recommend monitoring the runner process and the number of file descriptors that it uses and adjust as needed depending on the specific needs. Updating To update GitLab, see the Update page. To update Gitlab Runner, find your installation method and steps for updating here. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYbaYxONLKJtyKPYoAQjkxA/7BvBzuuIYYl1Lr2Z+RoMdWEZlzu5y9mLM utjX4FcIIkUatNFTyerGSKU954qDl61NnqFtebLLggdpMOwiMSVYuPWvxCRXw3Gf UtYJHZfg8OlWCC1AatIY0vJtwGbzmb4mthK+DzqmGpHtVs09BSjYd9eFpezWlxu9 KvfqJ02VrGoOqEWL7j+WKmbPI3xqRgsPXU8IZvGLj8eOubqVwgo2eXZTachciZZ+ lmWr8sMDcPUK5jSooU8YdVOZAoXpnh84V0kmTBXsaGbqSsdW4pfGHl7OxqEfxOBQ Ld0AuKLwsma6OhK+4LarxFQRN+/QkrZkp4G0gIPF6deLl9ABA0EkkwQE3nfAeuf6 vrOc0fF2rPNR2e/TetfDM3vxm+LLZ2cqV40b3RX3Pqfp+VTFl/UIOtXWlNpNFMiO +JXc3grrR/J+pOujLrJYHRheTsukMnKkeTyl0k4yG59QYA3/eQpCkgxBmXi/ZmPn Br7KCB+Aa1ke9WZCeG3kvqg88YdngVtG2Fze2RPhELEEXCvmc6FxvvYi1/6K7u/4 FQElLCwF9OUKqp0knhIwXcBJwFEw8hphCzKwDc5tx1cytYYQx9VPneqN8E8SnVip vzmDWZjJV0Hgd+457cQCfs6AT+AHFBXXlxXtYSKWo2zds+//EJJi0g9fHJ0N4HcY NtMcL3VZQ9A= =jPWg -----END PGP SIGNATURE-----