Thursday, January 18, 2018

Security Release: GitLab 10.3.4


The GitLab project has released a new update that contains several security fixes, including two that prevent remote code execution. We recommend that all GitLab installations be upgraded to GitLab's new version (GitLab 10.3.4) immediately.

We have released new versions of Bitnami GitLab 10.3.4 virtual machines and cloud images that fix the following security issues along with others:

  • Remote Code Execution Vulnerability in GitLab Projects Import (CVE-2017-0915 and CVE-2018-3710): These allow an attacker to write files to arbitrary directories on the server, which in turn could result in remote code execution.
If you are unable to upgrade immediately, you can use the following workaround in your existing GitLab installation to fix this vulnerability:
  1. Go to the /admin/application_settings URL of your GitLab instance.
  2. Under "Import sources", uncheck the "GitLab export" checkbox.
  3. Click "Save".

  • GitLab CI Runner Can Read and Poison Cache of All Other Projects (CVE-2017-0918): No workaround currently available
  • Jupyter Notebook XSS (CVE-2017-0923): No workaround currently available
  • Sensitive Fields Exposed to Admins / Masters in the Services API (CVE-2017-0925): No workaround currently available

More information about these issues can be found in the official blog post. Apart from the workaround described above for the remote code execution vulnerability, there is currently no available workaround for the remaining vulnerabilities. Therefore, if you are running a GitLab instance with a version prior to 10.3.4, you will need to upgrade GitLab to the latest version by following this documentation (https://docs.gitlab.com/omnibus/update/README.html#updating-gitlab-via-omnibus-gitlab).

Do you have questions about Bitnami GitLab or these security issues? Please post to our community forum, and we will be happy to help you.