Tuesday, May 3, 2016

Critical Security Release for GitLab (CVE-2016-4340)

The Gitlab project released a new update that contains a number of important security fixes, including one for a critical privilege escalation, and we strongly recommend that all GitLab installations be upgraded to the new version immediately.

We released new versions of Bitnami Gitlab 8.7.1 installersvirtual machines and cloud images that fix the security issues.

Critical Security Issue: Privilege escalation via "impersonate" feature

Added in GitLab 8.2, this feature was intended to allow an administrator to simulate being logged in as any other user.

Part of this feature was not properly secured and it was possible for any authenticated user, administrator or not, to "log in" as any other user, including administrators. Please see the GitLab website for more details. Additional information regarding the additional changes is available in the official security advisory.


If you are unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade:

Securing via web server configuration

1. Add the following text at the end of the httpd-app.conf file of Gitlab
<LocationMatch "^/admin/users/stop_impersonation">
  Order Deny,Allow
  Deny from all
2.  Restart Apache
sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

1. Create a patch file at /opt/bitnami/apps/gitlab/htdocs
diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index bf98af7..8790018 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -1,4 +1,5 @@
 class Admin::ImpersonationController < Admin::ApplicationController
+  before_action :render_403, only: :destroy
   skip_before_action :authenticate_admin!, only: :destroy

   before_action :user

2. Apply the path
sudo git apply -v path.diff
The following output will appear:
Checking patch app/controllers/admin/impersonation_controller.rb...
Applied patch app/controllers/admin/impersonation_controller.rb cleanly.

Recover the permissions of the modified file:
sudo chown git:git /opt/bitnami/apps/gitlab/htdocs/app/controllers/admin/impersonation_controller.rb

Verifying the workaround

  1. In an Incognito Window, login as an administrator
  2. Go to the Admin section
  3. Click on "Users"
  4. Select any user
  5. Click "Impersonate"
  6. Click on the "Stop Impersonation" icon in the upper right
  7. Verify you receive a 403 Forbidden error
Do you have questions about Bitnami Gitlab or the security issue? Please post to our community forum, and we will be happy to help you.