Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0226
GitLab Security Release: 11.3.1, 11.2.4, and 11.1.7
2 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition
GitLab Enterprise Edition (EE)
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-17537 CVE-2018-17536 CVE-2018-17455
CVE-2018-17454 CVE-2018-17453 CVE-2018-17452
CVE-2018-17451 CVE-2018-17450 CVE-2018-17449
CVE-2018-15472
Member content until: Thursday, November 1 2018
OVERVIEW
Vulnerabilities have been discovered in GitLab Community Edition
(CE) and Enterprise Edition (EE) prior to versions 11.3.1, 11.2.4,
and 11.1.7. [1]
IMPACT
The vendor has provided the following information regarding the
vulnerability:
"SSRF GCP access token disclosure
The GitLab Kubernetes integration was vulnerable to a SSRF issue
which allowed for access to any URL accessible from the GitLab
server. For example, for users which run GitLab on GCP, an attacker
with access to use the GitLab instance would have been able to
determine the GCP service token for the GitLab host. The issue is
now mitigated in the latest release and is assigned CVE-2018-17450.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 10.2 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Persistent XSS on issue details
The issue details page contained a lack of input validation and
output encoding issue which resulted in a persistent XSS. The issue
is now mitigated in the latest release and is assigned
CVE-2018-17454.
Thanks to @8ayac for responsibly reporting this vulnerability to us.
Versions Affected
Affects GitLab CE/EE 9.3 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Diff formatter DoS in Sidekiq jobs
The diff formatter using rouge lacks timeout in Sidekiq jobs which
can result in a denial of service. The issue is now mitigated in the
latest release and is assigned CVE-2018-15472.
Thanks to Bastian Blank for responsibly reporting this vulnerability
to us.
Versions Affected
Affects GitLab CE/EE 7.6 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Confidential information disclosure in events API endpoint
The events API contained insecure direct object reference issue
which resulted in disclosure of confidential issues, comments, and
titles of public projects. The issue is now mitigated in the latest
release and is assigned CVE-2018-17449.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 9.3 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible. validate_localhost function in url_blocker.rb could be
bypassed
The validate_localhost function was missing a check for loopback
addresses which could result in SSRF issues. The issue is now
mitigated in the latest release and is assigned CVE-2018-17452.
Thanks to @math1as for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 8.3 and up.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Slack integration CSRF Oauth2
The Slack integration contained a CSRF issue which could allow an
attacker to issue slash commands on behalf of the victim. The issue
is now mitigated in the latest release and is assigned
CVE-2018-17451.
Thanks to @ngalog for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 9.4 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible. GRPC::Unknown logging token disclosure
The GRPC::Unknown exception was disclosing access tokens in Sentry
logs. The issue is now mitigated in the latest release and is
assigned CVE-2018-17453.
Versions Affected
Affects GitLab CE/EE 10.4 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible. IDOR merge request approvals
The merge request approvals component contained an insecure direct
object reference vulnerability which resulted in disclosure of
private group names, avatars, LDAP settings, and descriptions. The
issue is now mitigated in the latest release and is assigned
CVE-2018-17455.
Thanks to @jobert for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab EE 8.13 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Persistent XSS package.json
When a package.json file is present, the blog-viewer will display a
notice when browsing the repository which lacks input validation and
output encoding which can result in a persistent XSS. The issue is
now mitigated in the latest release and is assigned CVE-2018-17537.
Thanks to @fransrosen for responsibly reporting this vulnerability
to us.
Versions Affected
Affects GitLab CE/EE 10.4 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible.
Persistent XSS merge request project import
The merge request page contained a lack of input validation and
output encoding issue which resulted in a persistent XSS. The issue
is now mitigated in the latest release and is assigned
CVE-2018-17536.
Thanks to @isra17 for responsibly reporting this vulnerability to
us.
Versions Affected
Affects GitLab CE/EE 10.4 and later.
Remediation
We strongly recommend that all installations running an affected
version above to be upgraded to the latest version as soon as
possible." [1]
MITIGATION
GitLab versions 11.3.1, 11.2.4, and 11.1.7 have been released which
address these vulnerabilities.
REFERENCES
[1] GitLab Security Release: 11.3.1, 11.2.4, and 11.1.7
https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW7L10WaOgq3Tt24GAQhJJg//cAEHzTbDS9vEjvr3p+3RH9RayvvTr3An
jnNcza+N0704TbDcPuMufFAilK7uwEqVS/4y59h9k4h/Ts/xvr1tuBDG3hMXq3nS
XUyPJmmi/xdalWunYhCh3+3NgiEXH0qqZ9n9TODLS8UYSPysYj6ybl/9ztVroCxq
Nk95UbZgXtTScFm05DuYSPIP30iiL3rls6NH2GzLvZilNzcgUtP020G58GKywDVF
7Ij72bTPFGIeTWhCVYrWoMhvRsF25q9sUwPm63YHTWx9Gqdas10Vs3letJQ7vWIm
R5iftvaRjCIemVWQtvIKzFPsgfkzQizdGybBo0AsQpVqHPxrJP+aXydD6e7dzXRn
3T6SVAMln7d5rtAVNGGDHfqqda3DBsNUdcrLS6iH/sUrKHYFVPf9O7yrLVbV69fC
tiBy3E0z9bDg/ShPQRO6co2KGecbRYbPxN27aWhH18P5c3WeViv741fyUsfpd6KU
kOueKcBFzxLUuaWRh9LjWmYJzYS94aITtOJKyXHOnqGz3BmNiMoreeIQbHRCtsHS
lZKsM3rnwTbbFll8rEvPmbp4NS7YpOo49NLygq0eggaFBkK39Vqqj7beLfv1LVHb
ot67kZx4TWhSnaaT57q4wFeNkvRslQMXN6rqHa+srpeyuH5lLKNl66vY/Egu2J/b
K83azxjUzaI=
=nMGQ
-----END PGP SIGNATURE-----