GitLab fixes critical RCE in Community and Enterprise editions

The widely used DevOps platform GitLab has published critical security updates for its Community Edition (CE) and Enterprise Edition (EE).

The vulnerability has been reported for a number of versions of GitLab CE/EE:

  • all versions from 11.3.4 before 15.1.5
  • all versions from 15.2 before 15.2.3
  • all versions from 15.3 before 15.3.1

The affected versions allow an authenticated user to issue arbitrary commands remotely by leveraging the import from the GitHub API endpoint. The Remote Command Execution (RCE) vulnerability has been registered as CVE-2022-2884 and rated 9.9 – just 0.1 from the highest severity level.

GitLab is an extremely popular open-core platform, with 30 million registered users. It allows development teams to host and manage Git repositories remotely. It also provides DevOps features such as CI/CD pipelines for automated deployment (GitLab Runner).

Also Read: CI/CD Pipeline Is a Major Risk to the Software Supply Chain: Black Hat Researchers

GitLab instances should be patched immediately

GitLab.com has already been patched, but users can install, administer, and manage their own instance which still requires patches. If you are running a vulnerable installation, you should upgrade to 15.3.1, 15.2.3, or 15.1.5 as soon as possible. GitLab provides useful information guide to help you update your instance.

For those who cannot upgrade immediately, the only solution is to disable GitHub as an import source under Menu > Admin > Settings > General > Visibility and access controls. GitLab recommends its users to test the workaround by creating a new project to ensure that “GitHub” is no longer available in the import options.

RCE vulnerabilities are critical flaws that allow hackers to inject malicious instructions to break into targeted systems. When such vulnerabilities are publicly disclosed, cybercriminals usually actively exploit them, so patches need to be applied quickly.

Further reading:

Sam D. Gomez