Today we are releasing versions 10.5.6, 10.4.6, and 10.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
The vulnerability details will be made public on our issue tracker in approximately 30 days.
Please read on for more information regarding this release.
SSRF in services and web hooks
There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution. This issue has been assigned CVE-2018-8801.
Thanks to @jobert from HackerOne for reporting this.
Versions Affected
- Affects GitLab CE/EE 8.3 and up
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Gitlab Auth0 integration issue
There was an issue with the GitLab omniauth-auth0
configuration which resulted in the Auth0 integration signing in the wrong users.
Thanks to Trond Hindenes for reporting this issue.
Versions Affected
- Affects GitLab CE 8.6 and up
Remediation
We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.
Updating
To update, check out our update page.
Update (2018-03-21 7:00PM UTC)
In order to address the SSRF issue, we created a new checkbox setting to allow outbound requests to local networks (IPv4 and IPv6 private address ranges). This is currently unchecked by default.
The setting is located in Admin area->Settings->Outbound Requests
. If you need to allow outbound requests to your local network for hooks and services, please enable this checkbox. Note that by checking this, your GitLab instance will be vulnerable to the SSRF issue mentioned above.
To provide a more flexible and improved solution, we may add a configurable whitelist at a future date.
Update (2018-03-23 9:00AM UTC)
If you are currently using Auth0, the configuration will need to be updated slightly.
Check the Auth0 integration documentation for the correct syntax.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback