Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1418.2
GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7
4 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Publisher: GitLab
Operating System: Windows
Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1193 CVE-2022-1190 CVE-2022-1189
CVE-2022-1188 CVE-2022-1185 CVE-2022-1175
CVE-2022-1174 CVE-2022-1162 CVE-2022-1157
CVE-2022-1148 CVE-2022-1121 CVE-2022-1120
CVE-2022-1111 CVE-2022-1105 CVE-2022-1100
CVE-2022-1099 CVE-2022-0740
Original Bulletin:
https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
Comment: CVSS (Max): 9.1 CVE-2022-1162 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVSS Source: GitLab
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Revision History: April 4 2022: Vendor updated advisory by adding script to help admins identify user accounts potentially impacted by CVE-2022-1162. Also updated CVSS score
April 1 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7
Updated 14:50 UTC 2022-04-01
We have updated this blog post with a script to be
used by self-managed instance admins to identify user accounts potentially
impacted by CVE-2022-1162.
Today we are releasing versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community
Edition (CE) and Enterprise Edition (EE). Please note, this critical release
will also serve as our monthly security release for March.
We strongly recommend that all GitLab installations be upgraded to one of these
versions immediately.
These versions contain important security fixes. GitLab.com is already running
the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd
of each month), and ad-hoc security releases for critical vulnerabilities. For
more information, you can visit our security FAQ. You can see all of our
regular and security release blog posts here. In addition, the issues detailing
each vulnerability are made public on our issue tracker 30 days after the
release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to
customers or that host customer data are held to the highest security
standards. As part of maintaining good security hygiene, it is highly
recommended that all customers upgrade to the latest security release for their
supported version. You can read more best practices in securing your GitLab
instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the
issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a
product is mentioned, this means all types are affected.
Table of Fixes
Title Severity
Static passwords inadvertently set during OmniAuth-based registration critical
Stored XSS in notes high
Stored XSS on Multi-word milestone reference high
Denial of service caused by a specially crafted RDoc file medium
GitLab Pages access tokens can be reused on multiple domains medium
GitLab Pages uses default (disabled) server Timeouts and a weak TCP medium
Keep-Alive timeout
Incorrect include in pipeline definition exposes masked CI variables medium
in UI
Regular expression denial of service in release asset link medium
Latest Commit details from private projects leaked to guest users via medium
Merge Requests
CI/CD analytics are available even when public pipelines are disabled medium
Absence of limit for the number of tags that can be added to a runner medium
can cause performance issues
Client DoS through rendering crafted comments medium
Blind SSRF Through Repository Mirroring low
Bypass of branch restriction in Asana integration low
Readable approval rules by Guest user low
Redact InvalidURIError error messages low
Project import maps members' created_by_id users based on source user low
ID
Static passwords inadvertently set during OmniAuth-based registration
A hardcoded password was set for accounts registered using an OmniAuth provider
(e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8
prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially
take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/
UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is
assigned CVE-2022-1162.
This vulnerability has been discovered internally by the GitLab team.
Note: We executed a reset of GitLab.com passwords for a selected set of users
as of 15:38 UTC. Our investigation shows no indication that users or accounts
have been compromised but we're taking precautionary measures for our users'
security.
Stored XSS in notes
Improper neutralization of user input in GitLab CE/EE versions 14.4 before
14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting
from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in
notes. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/
A:N, 8.7). It is now mitigated in the latest release and is assigned
CVE-2022-1175.
Thanks joaxcar for reporting this vulnerability through our HackerOne bug
bounty program.
Stored XSS on Multi-word milestone reference
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7,
14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a
stored XSS by abusing multi-word milestone references in issue descriptions,
comments, etc. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/
C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned
CVE-2022-1190.
Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug
bounty program
Denial of service caused by a specially crafted RDoc file
A denial of service vulnerability when rendering RDoc files in GitLab CE/EE
versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an
attacker to crash the GitLab web application with a maliciously crafted RDoc
file. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N
/A:H, 6.5). It is now mitigated in the latest release and is assigned
CVE-2022-1185.
Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty
program.
GitLab Pages access tokens can be reused on multiple domains
Improper authorization in GitLab Pages included with GitLab CE/EE affecting all
versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to
14.9.2 allowed an attacker to steal a user's access token on an
attacker-controlled private GitLab Pages website and reuse that token on the
victim's other private websites. This is a medium severity issue (CVSS:3.0/AV:N
/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest
release and is assigned CVE-2022-1148.
Thanks ehhthing for reporting this vulnerability through our HackerOne bug
bounty program.
GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive
timeout
A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all
versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows
an attacker to cause unlimited resource consumption. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). It is now mitigated
in the latest release and is assigned CVE-2022-1121.
Thanks feistel for reporting this vulnerability.
Incorrect include in pipeline definition exposes masked CI variables in UI
Missing filtering in an error message in GitLab CE/EE affecting all versions
prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed
sensitive information when an include directive fails in the CI/CD
configuration. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/
S:U/C:H/I:N/A:N, 4.8). It is now mitigated in the latest release and is
assigned CVE-2022-1120.
Thanks bdrich for reporting this vulnerability through our HackerOne bug bounty
program.
Regular expression denial of service in release asset link
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all
versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to
14.9.2. The api to update an asset as a link from a release had a regex check
which caused exponential number of backtracks for certain user supplied values
resulting in high CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/
AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release
and is assigned CVE-2022-1100.
This vulnerability has been discovered internally by the GitLab team.
Latest Commit details from private projects leaked to guest users via Merge
Requests
Improper access control in GitLab CE/EE since version 10.7 allows a malicious
actor to obtain details of the latest commit in a private project via Merge
Requests under certain circumstances. This is a medium severity issue (CVSS:3.0
/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest
release and is assigned CVE-2022-1193.
Thanks albatraoz for reporting this vulnerability through our HackerOne bug
bounty program.
CI/CD analytics are available even when public pipelines are disabled
An improper access control vulnerability in GitLab CE/EE affecting all versions
from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2
allows an unauthorized user to access pipeline analytics even when public
pipelines are disabled. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and
is assigned CVE-2022-1105.
This vulnerability has been discovered internally by the GitLab team.
Absence of limit for the number of tags that can be added to a runner can cause
performance issues
Adding a very large number of tags to a runner in GitLab CE/EE affecting all
versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows
an attacker to impact the performance of GitLab. This is a medium severity
issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated
in the latest release and is assigned CVE-2022-1099.
This vulnerability has been discovered internally by the GitLab team.
Client DoS through rendering crafted comments
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7
before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions
starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage
via a special crafted input added in Issues, Merge requests, Milestones,
Snippets, Wiki pages, etc. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/
PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and
is assigned CVE-2022-1174.
Thanks scaramouche31 for reporting this vulnerability through our HackerOne bug
bounty program.
Blind SSRF Through Repository Mirroring
An issue has been discovered in GitLab CE/EE affecting all versions starting
from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all
versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the
repository mirroring feature was possible. This is a low severity issue
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the
latest release and is assigned CVE-2022-1188.
Thanks jimeno for reporting this vulnerability through our HackerOne bug bounty
program.
Bypass of branch restriction in Asana integration
Incorrect authorization in the Asana integration's branch restriction feature
in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all
versions starting from 14.8 before 14.8.5, all versions starting from 14.9
before 14.9.2 makes it possible to close Asana tasks from unrestricted
branches. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/
I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned
CVE-2022-0740.
Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug
bounty program.
Readable approval rules by Guest user
An issue has been discovered in GitLab CE/EE affecting all versions starting
from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all
versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user
to read the the approval rules of a private project. This is a low severity
issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated
in the latest release and is assigned CVE-2022-1189.
This vulnerability has been discovered internally by the GitLab team.
Redact InvalidURIError error messages
Missing sanitization of logged exception messages in all versions prior to
14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes
potential sensitive values in invalid URLs to be logged. This is a low severity
issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N, 2.6). It is now mitigated
in the latest release and is assigned CVE-2022-1157.
This vulnerability has been discovered internally by the GitLab team.
Project import maps members' created_by_id users based on source user ID
A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to
14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions
caused imported projects to show an incorrect user in the 'Access Granted'
column in the project membership pages. This is a low severity issue (CVSS:3.0/
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N, 2.4). It is now mitigated in the latest
release and is assigned CVE-2022-1111.
This vulnerability has been discovered internally by the GitLab team.
Update commonmarker
The version of commonmarker has been updated to 0.23.4 in order to mitigate
security concerns.
Versions affected
Affects all versions of GitLab CE/EE
Update Grafana
The version of Grafana has been updated to 7.5.15 in order to mitigate security
concerns.
Versions affected
Affects all versions of GitLab Omnibus
Update Mattermost
The version of Mattermost has been updated to 6.4.2, 6.3.5, and 6.2.5 in order
to mitigate security concerns.
Versions affected
Affects all versions of GitLab CE/EE.
Update Swagger
The version of Swagger has been updated to 4.0.0 in order to mitigate security
concerns.
Versions affected
Affects all versions of GitLab CE/EE
Update Python
The version of Python has been updated to 3.8.12 in order to mitigate security
concerns.
Versions affected
Affects all versions of GitLab Charts.
Update go-proxyproto
The version of go-proxyproto has been updated to 0.6.2 in order to mitigate
security concerns.
Versions affected
Affects all versions of GitLab Pages
Update Devise
The version of devise-two-factor has been updated to 4.0.2 in order to mitigate
security concerns.
Versions affected
Affects all versions of Gitlab CE/EE
Non-security updates
14.7.7 and 14.8.5 include a non-security bug fix addressing Merge Request
Approval Rules. The bug is not present in 14.9 releases.
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the
Updating the Runner page.
Script to identify users potentially impacted by CVE-2022-1162
GitLab has prepared a script which can be used by self-managed instance admins
to identify user accounts potentially impacted by CVE-2022-1162.
# This script identifies users who may have been impacted by
# CVE-2022-1162.
# The list is not exhaustive and may not include attackers who have
# gained access and modified an account.
#
# The START_DATE can be changed to the date a vulnerable version was
# installed.
#
# The result is a CSV printed to STDOUT containing potentially affected
# users. The columns are:
# - User ID (integer)
# - Username (string)
# - User's email (string)
# - Whether the user still has an automatically set password (boolean)
#
# We strongly recommend that all GitLab installations be upgraded to
# 14.9.2, 14.8.5, or 14.7.7 immediately.
# See: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/
#
# To run the script, place this script into a file ie. /tmp/find-impacted-users.rb
# on your GitLab instance and then run the following command to execute the script:
#
# gitlab-rails runner /tmp/find-impacted-users.rb
#
ActiveRecord::Base.connection.execute('set statement_timeout to 600000')
START_DATE = Time.utc(2022, 1, 20)
user_id = 0
csv = CSV.new(STDOUT)
begin
users = User.
joins(:identities).
where('users.created_at >= ?', START_DATE).
where('identities.created_at >= ?', START_DATE).
where('users.id > ?', user_id)
users.in_batches(of: 250).each_record do |user|
csv << [user.id, user.username, user.email, user.password_automatically_set?]
user_id = user.id
end
rescue
retry
end
GitLab has conducted limited testing to validate this script. As such this
script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB
HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE, AND NON-INFRINGEMENT.
After identifying potentially affected user accounts, it is recommended to
reset a user's password.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYkooeuNLKJtyKPYoAQjIQw//ebirxCgSnoQtr+axZ4z0dTY0/XVMQlmW
3TLZDypjhBtp7tEm6yAgULIGteIXhvjfm1iQgpX2TQ0KGn/iUD5DMiIYyfOpg2w2
/AcS5obA0uSZq78XezhG6cHVqhb+zddzh29djpKdJowptYoYteufQCLbkoUiAhTH
kbPimUkUYvWLc+ps1IZhaFR7H7CCoracdFSoXWO4lEPBSyNiR90i4k03T+yMwLdP
UoagfgkN2agc9PvVNSJt+JwXQF/y7ybWbj2aCEtHDmeSqqWuJPhHUcRf1fHXXVCN
s2f1WNho1VU7T+oQHG2pvfeb44cG29WNHvVtQby52O0gUttNQwxOp2E+Ms3E5tEG
vjmad2oAf/BCbTn6ADOXuUbcx3Ek8X2VdoS2i9tUgiySlwUBxcIlFOaM8oxKQSlU
DN8llmvCJHVAqAuDyY0neIgQkg/1dD2qnnsuSTKTODYVwwjXXAbSOPKG2+QOQVYC
EqAFFJdDOjn0jaGDsACe7cZ+F3Iz9O2/vlDVv6R9+pzykumk8262Xc3gsL2p/giE
V8Psc3eFHTXs+ingsJhb699h6U7vQNH6/agpdyveNLgOv9PwA4rC2iLzU9qQfv5M
auC6IpnkBgA7BHpAkfbKz/Ez+5DbUXNJ8GpgfLkAlmbU2VAnWvFzZaxFW2p6Zjxa
ZmhTexKSfdE=
=Ru2e
-----END PGP SIGNATURE-----