Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1418.2 GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7 4 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GitLab Community Edition (CE) GitLab Enterprise Edition (EE) Publisher: GitLab Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-1193 CVE-2022-1190 CVE-2022-1189 CVE-2022-1188 CVE-2022-1185 CVE-2022-1175 CVE-2022-1174 CVE-2022-1162 CVE-2022-1157 CVE-2022-1148 CVE-2022-1121 CVE-2022-1120 CVE-2022-1111 CVE-2022-1105 CVE-2022-1100 CVE-2022-1099 CVE-2022-0740 Original Bulletin: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/ Comment: CVSS (Max): 9.1 CVE-2022-1162 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) CVSS Source: GitLab Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Revision History: April 4 2022: Vendor updated advisory by adding script to help admins identify user accounts potentially impacted by CVE-2022-1162. Also updated CVSS score April 1 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7 Updated 14:50 UTC 2022-04-01 We have updated this blog post with a script to be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162. Today we are releasing versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for March. We strongly recommend that all GitLab installations be upgraded to one of these versions immediately. These versions contain important security fixes. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of Fixes Title Severity Static passwords inadvertently set during OmniAuth-based registration critical Stored XSS in notes high Stored XSS on Multi-word milestone reference high Denial of service caused by a specially crafted RDoc file medium GitLab Pages access tokens can be reused on multiple domains medium GitLab Pages uses default (disabled) server Timeouts and a weak TCP medium Keep-Alive timeout Incorrect include in pipeline definition exposes masked CI variables medium in UI Regular expression denial of service in release asset link medium Latest Commit details from private projects leaked to guest users via medium Merge Requests CI/CD analytics are available even when public pipelines are disabled medium Absence of limit for the number of tags that can be added to a runner medium can cause performance issues Client DoS through rendering crafted comments medium Blind SSRF Through Repository Mirroring low Bypass of branch restriction in Asana integration low Readable approval rules by Guest user low Redact InvalidURIError error messages low Project import maps members' created_by_id users based on source user low ID Static passwords inadvertently set during OmniAuth-based registration A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/ UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162. This vulnerability has been discovered internally by the GitLab team. Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we're taking precautionary measures for our users' security. Stored XSS in notes Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/ A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-1175. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Stored XSS on Multi-word milestone reference Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/ C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-1190. Thanks ryhmnlfj for reporting this vulnerability through our HackerOne bug bounty program Denial of service caused by a specially crafted RDoc file A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N /A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1185. Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program. GitLab Pages access tokens can be reused on multiple domains Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites. This is a medium severity issue (CVSS:3.0/AV:N /AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1148. Thanks ehhthing for reporting this vulnerability through our HackerOne bug bounty program. GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1121. Thanks feistel for reporting this vulnerability. Incorrect include in pipeline definition exposes masked CI variables in UI Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/ S:U/C:H/I:N/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-1120. Thanks bdrich for reporting this vulnerability through our HackerOne bug bounty program. Regular expression denial of service in release asset link A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/ AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1100. This vulnerability has been discovered internally by the GitLab team. Latest Commit details from private projects leaked to guest users via Merge Requests Improper access control in GitLab CE/EE since version 10.7 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances. This is a medium severity issue (CVSS:3.0 /AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1193. Thanks albatraoz for reporting this vulnerability through our HackerOne bug bounty program. CI/CD analytics are available even when public pipelines are disabled An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/ PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1105. This vulnerability has been discovered internally by the GitLab team. Absence of limit for the number of tags that can be added to a runner can cause performance issues Adding a very large number of tags to a runner in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to impact the performance of GitLab. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1099. This vulnerability has been discovered internally by the GitLab team. Client DoS through rendering crafted comments A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/ PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1174. Thanks scaramouche31 for reporting this vulnerability through our HackerOne bug bounty program. Blind SSRF Through Repository Mirroring An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2022-1188. Thanks jimeno for reporting this vulnerability through our HackerOne bug bounty program. Bypass of branch restriction in Asana integration Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/ I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-0740. Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug bounty program. Readable approval rules by Guest user An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the the approval rules of a private project. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-1189. This vulnerability has been discovered internally by the GitLab team. Redact InvalidURIError error messages Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-1157. This vulnerability has been discovered internally by the GitLab team. Project import maps members' created_by_id users based on source user ID A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages. This is a low severity issue (CVSS:3.0/ AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N, 2.4). It is now mitigated in the latest release and is assigned CVE-2022-1111. This vulnerability has been discovered internally by the GitLab team. Update commonmarker The version of commonmarker has been updated to 0.23.4 in order to mitigate security concerns. Versions affected Affects all versions of GitLab CE/EE Update Grafana The version of Grafana has been updated to 7.5.15 in order to mitigate security concerns. Versions affected Affects all versions of GitLab Omnibus Update Mattermost The version of Mattermost has been updated to 6.4.2, 6.3.5, and 6.2.5 in order to mitigate security concerns. Versions affected Affects all versions of GitLab CE/EE. Update Swagger The version of Swagger has been updated to 4.0.0 in order to mitigate security concerns. Versions affected Affects all versions of GitLab CE/EE Update Python The version of Python has been updated to 3.8.12 in order to mitigate security concerns. Versions affected Affects all versions of GitLab Charts. Update go-proxyproto The version of go-proxyproto has been updated to 0.6.2 in order to mitigate security concerns. Versions affected Affects all versions of GitLab Pages Update Devise The version of devise-two-factor has been updated to 4.0.2 in order to mitigate security concerns. Versions affected Affects all versions of Gitlab CE/EE Non-security updates 14.7.7 and 14.8.5 include a non-security bug fix addressing Merge Request Approval Rules. The bug is not present in 14.9 releases. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Script to identify users potentially impacted by CVE-2022-1162 GitLab has prepared a script which can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162. # This script identifies users who may have been impacted by # CVE-2022-1162. # The list is not exhaustive and may not include attackers who have # gained access and modified an account. # # The START_DATE can be changed to the date a vulnerable version was # installed. # # The result is a CSV printed to STDOUT containing potentially affected # users. The columns are: # - User ID (integer) # - Username (string) # - User's email (string) # - Whether the user still has an automatically set password (boolean) # # We strongly recommend that all GitLab installations be upgraded to # 14.9.2, 14.8.5, or 14.7.7 immediately. # See: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/ # # To run the script, place this script into a file ie. /tmp/find-impacted-users.rb # on your GitLab instance and then run the following command to execute the script: # # gitlab-rails runner /tmp/find-impacted-users.rb # ActiveRecord::Base.connection.execute('set statement_timeout to 600000') START_DATE = Time.utc(2022, 1, 20) user_id = 0 csv = CSV.new(STDOUT) begin users = User. joins(:identities). where('users.created_at >= ?', START_DATE). where('identities.created_at >= ?', START_DATE). where('users.id > ?', user_id) users.in_batches(of: 250).each_record do |user| csv << [user.id, user.username, user.email, user.password_automatically_set?] user_id = user.id end rescue retry end GitLab has conducted limited testing to validate this script. As such this script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. After identifying potentially affected user accounts, it is recommended to reset a user's password. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYkooeuNLKJtyKPYoAQjIQw//ebirxCgSnoQtr+axZ4z0dTY0/XVMQlmW 3TLZDypjhBtp7tEm6yAgULIGteIXhvjfm1iQgpX2TQ0KGn/iUD5DMiIYyfOpg2w2 /AcS5obA0uSZq78XezhG6cHVqhb+zddzh29djpKdJowptYoYteufQCLbkoUiAhTH kbPimUkUYvWLc+ps1IZhaFR7H7CCoracdFSoXWO4lEPBSyNiR90i4k03T+yMwLdP UoagfgkN2agc9PvVNSJt+JwXQF/y7ybWbj2aCEtHDmeSqqWuJPhHUcRf1fHXXVCN s2f1WNho1VU7T+oQHG2pvfeb44cG29WNHvVtQby52O0gUttNQwxOp2E+Ms3E5tEG vjmad2oAf/BCbTn6ADOXuUbcx3Ek8X2VdoS2i9tUgiySlwUBxcIlFOaM8oxKQSlU DN8llmvCJHVAqAuDyY0neIgQkg/1dD2qnnsuSTKTODYVwwjXXAbSOPKG2+QOQVYC EqAFFJdDOjn0jaGDsACe7cZ+F3Iz9O2/vlDVv6R9+pzykumk8262Xc3gsL2p/giE V8Psc3eFHTXs+ingsJhb699h6U7vQNH6/agpdyveNLgOv9PwA4rC2iLzU9qQfv5M auC6IpnkBgA7BHpAkfbKz/Ez+5DbUXNJ8GpgfLkAlmbU2VAnWvFzZaxFW2p6Zjxa ZmhTexKSfdE= =Ru2e -----END PGP SIGNATURE-----