GitLab is urging users to install a security update for branches 15.1, 15.2, and 15.3 of its community and enterprise editions to fix a critical vulnerability that could enable an attacker to perform remote command execution via Github import.
GitLab is a web-based Git repository for developer teams that need to manage their code remotely. It has approximately 30 million registered users and one million paying customers.
The vulnerability addressed by this security update is tracked as CVE-2022-2884 and assigned a CVSS v3 criticality score of 9.9. It impacts all versions starting from 11.3.4 and up to 15.1.4, those between 15.2 and 15.2.3, and 15.3.
Additionally, GitLab underlines that the deployment type (omnibus, source code, helm chart, etc.) doesn’t make a difference, as all of them are impacted.
Remote command execution is a potent type of flaw, enabling remote attackers to run malicious code on the target machine, inject malware and backdoors, or take complete control of the vulnerable endpoint.
Using this vulnerability, a threat actor could take control over the server, steal or delete source code, perform malicious commits, and more.
The latest GitLab versions that address the problem are 15.3.1, 15.2.3, and 15.1.5, which users are advised to upgrade to immediately.
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” mentions GitLab’s release announcement.
If it’s not possible to install the security updates for whatever reason, GitLab recommends applying a workaround consisting of disabling GitHub import, a tool used for importing entire software projects from GitHub to GitLab.
To apply the workaround, following these steps:
Log in using an administrator account to your GitLab installation
Click “Menu” -> “Admin”
Click “Settings” -> “General”
Expand the “Visibility and access controls” tab
Under “Import sources” disable the “GitHub” option
Click “Save changes”
To verify that the workaround has been correctly implemented, follow these steps:
In a browser window, login as any user.
Click “+” on the top bar.
Click “New project/repository”.
Click “Import project”.
Verify that “GitHub” does not appear as an import option
For instructions on how to update your GitLab installation, check out the project’s official updating portal.
Typically, powerful flaws enter active exploitation status a few days after they are disclosed through the release of security updates. Therefore, it is strongly advised to apply the recommended updates or mitigations as soon as possible.