Blog Security Notice for GitKraken users with GitLab
Published on: October 11, 2021
2 min read

Notice for GitKraken users with GitLab

How we responded to Axosoft’s GitKraken software vulnerability affecting SSH keys and actions users should take.

security-cover.png

We’re sharing details on a vulnerability found with the Axosoft GitKraken software. Axosoft found a defect in the key gen package used by GitKraken versions 7.6.0 to 8.0.0 that could generate weak or duplicate SSH keys. This could enable an attacker to gain unauthorized access to an account or repositories on GitLab.com or a self-managed instance.

Based on our investigations to date, there is no indication that GitLab.com or any projects on GitLab.com that use the GitKraken tool have been impacted by this vulnerability.

Who is affected?

This vulnerability affects GitKraken users who created SSH keys using GitKraken releases from May 12, 2021 (7.6.0) to the week of September 27, 2021 (8.0.0).

GitKraken 8.0.1, released on September 28, 2021, fixes the bug.

Action we have taken

  • We have emailed users with affected keys earlier today, October 11, 2021.
  • For GitLab.com customers, we have already blocked known weak keys.

If affected, action you need to take

If you used a version of GitKraken prior to 8.0.1 to generate SSH keys, we highly recommend that you take the following actions:

Self-managed customers:

  1. Revoke the SSH keys immediately. For additional instructions, see: https://docs.gitlab.com/ee/administration/credentials_inventory.html#delete-a-users-ssh-key

  2. Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/

  3. Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab

GitLab.com customers:

  1. Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/

  2. Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab

More information can be found in Axosoft’s disclosure: https://www.gitkraken.com/blog/weak-ssh-key-fix and in CVE-2021-41117.

For questions or concerns regarding GitKraken or its use with GitLab, please contact Axosoft ([email protected]). For questions concerning your GitLab account, please contact our Support department.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert