Jan 16, 2018 - James Ritchey  

GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6

Today we are releasing versions 10.3.4, 10.2.6, and 10.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, including two that prevent remote code execution, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

This security release blog post is the first part of two. The second blog will be posted in approximately 30 days, and it will detail the vulnerability findings.

Please read on for more details regarding this release.

Remote Code Execution Vulnerability in GitLab Projects Import

The GitLab projects import component contained a vulnerability which allowed an attacker to write files to arbitrary directories on the server and that could result in remote code execution. The vulnerability has now been mitigated and is assigned to CVE-2017-0915 and CVE-2018-3710.

Thanks to Jobert Abma of HackerOne and Brian Neel for responsibly disclosing these issues to us.

Versions Affected

  • GitLab CE and EE 8.9.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Additional Workarounds

  1. Go to /admin/application_settings of your GitLab instance.
  2. Under "Import sources", uncheck the "GitLab export" checkbox.
  3. Click Save.

GitLab CI Runner Can Read and Poison Cache of All Other Projects

A path traversal vulnerability was found in the CI runner, which allowed a malicious user to read and poison other project caches. The issue is now remediated and has been assigned to CVE-2017-0918.

Thanks to Jobert Abma of HackerOne for responsibly disclosing this issue to us.

Versions Affected

  • GitLab CE and EE 8.4.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Jupyter Notebook XSS

Projects that have Jupyter Notebooks could execute external JavaScript. This XSS vulnerability was caused by unsanitized output in Jupyter Notebooks. The output is now correctly sanitized before being rendered. This issue has been assigned to CVE-2017-0923.

Versions Affected

  • GitLab CE and EE 9.1.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Sensitive Fields Exposed to Admins / Masters in the Services API

The Services API responses were exposing sensitive fields to the Admins and Masters of the service's project. We now filter out those sensitive fields from the Services API responses. This issue has been assigned to CVE-2017-0925.

Thanks to Artur Jan Fijałkowski for responsibly disclosing this issue to us.

Versions Affected

  • GitLab CE and EE 8.0.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Login with Disabled OAuth Provider via POST

OAauth providers are configured per instance and can be disabled from the Admin settings page under "Sign-in Restrictions".

It was possible to login with a disabled OAuth provider when bypassing the form with a malicious request. A check has been added to prevent this. This issue has been assigned to CVE-2017-0926.

Thanks to Steve Norman for responsibly disclosing this issue to us.

Versions Affected

  • GitLab CE and EE 8.8.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

XSS in Label Dropdown

A persistent XSS vulnerability was discovered in the issue/merge request sidebar label dropdown. Label names inside the sidebar label dropdown are now escaped. This issue has been assigned to CVE-2017-0924.

Thanks to c05m0ch405 for responsibly disclosing this issue to us through HackerOne.

Versions Affected

  • GitLab CE and EE 9.0.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Critical SQL Injection in MilestoneFinder

A SQL injection vulnerability was discovered in the MilestoneFinder component. The affected SQL query has now been mitigated. This issue has been assigned to CVE-2017-0914.

Versions Affected

  • GitLab CE and EE 9.4.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Critical Vulnerability with Command Injection via Webhooks

A new line injection vulnerability was discovered in the Webhook component that allowed an attacker to inject non-HTTP commands in a TCP stream. The issue has now been mitigated and assigned to CVE-2017-0916.

Versions Affected

  • GitLab CE and EE 8.8.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Cross-site scripting (XSS) vulnerability in CI job output

A persistent XSS vulnerability was discovered in the CI job component, and the issue has now been resolved by performing stricter input validation. This issue has been assigned to CVE-2017-0917.

Thanks to Jobert Abma of HackerOne for responsibly disclosing this issue to us.

Versions Affected

  • GitLab CE and EE 10.1.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Guest Users Can Give Deploy Keys in Other Projects Write Access

An improper authorization vulnerability was discovered in the deployment keys component which resulted in unauthorized use of deployment keys by guest users. The issue has now been resolved and is assigned to CVE-2017-0927. This change altered the /deploy_keys API endpoint, which no longer returns can_push attribute. See our updated documentation.

Versions Affected

  • GitLab CE and EE 8.16.0 - 9.5.10
  • GitLab CE and EE 10.0.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Milestone Authorization Issue on Boards

An authorization bypass vulnerability was discovered in the Boards component which resulted in an information disclosure. The issue has now been resolved and is assigned to CVE-2017-0922.

Versions Affected

  • GitLab EE 9.1.0 - 9.5.10
  • GitLab EE 10.0.0 - 10.1.5
  • GitLab EE 10.2.0 - 10.2.5
  • GitLab EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Authorization Issue When Creating Merge Requests

A vulnerability regarding authorization to create merge requests allowed users to see names of private projects, which also extended to already forked projects. The issue is now mitigated and is assigned to CVE-2017-0920.

Versions Affected

  • GitLab CE and EE 8.8.0 - 10.1.5
  • GitLab CE and EE 10.2.0 - 10.2.5
  • GitLab CE and EE 10.3.0 - 10.3.3

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Upgrade Barometer

These versions include a migration to add a column to deploy_keys table and a post-deploy migration to populate it. No downtime is required.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, openSUSE, and Raspbian packages or from source

Install GitLab Now

Try GitLab Ultimate risk-free for 30 days.

No credit card required. Have questions? Contact us.