Apr 10, 2019 - Kathy Wang  

Group Runner Registration Token Vulnerability

How we responded to a vulnerability in group runner registration tokens.

In keeping with GitLab’s value of transparency we believe in communicating potential and confirmed security incidents clearly and promptly. GitLab takes the security and privacy of your data extremely seriously. We will always take the most expedient and effective action to prevent and mitigate security risks, and will strive to use those lessons learned to improve our security posture and protect customer data.

Background

On April 5, 2019 we received a submission through our public HackerOne program by storm_spirit describing a vulnerability which exposed Group Runner Registration Tokens. Although there is no evidence to suggest that any projects on GitLab.com have been accessed in an unauthorized manner, we took the action to reset all group registration tokens on GitLab.com earlier this week. For GitLab.com customers, no further action is required. For self-managed customers, please see the Action Required section below for further instructions.

Response and mitigation

Following analysis of the vulnerability and impacted areas of GitLab, a patch was deployed to GitLab.com on April 8, 2019 and between 09:00 - 09:40 UTC and the Group Runner Registration Tokens were reset for all groups hosted on GitLab.com. The results of this deployment allowed us to validate the fix and confidently include it as part of the GitLab Enterprise Edition (EE) 11.9.7, 11.8.7, and 11.7.11 critical security releases.

In parallel to the analysis, an investigation found no evidence to suggest any projects on GitLab.com had been compromised as a result of this vulnerability. We will continue to monitor for any related impact on GitLab.com.

Action Required

We strongly recommend all self-managed instances of GitLab Enterprise Edition to be upgraded to 11.9.7, 11.8.7, or 11.7.11 to resolve this vulnerability.

Self-managed instances of GitLab Community Edition are not affected by this vulnerability and no further action is required.

Gitlab.com users are no longer at risk to the vulnerability following the April 8th patch and no action is required. If you are experiencing issues with Runners related to Registration Tokens, we encourage you to review our Runner documentation or contact GitLab Support for further assistance.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab for Free