Tuesday, October 9, 2018

Arbitrary Code Execution Vulnerability in Git CVE-2018-17456

A new security vulnerability has been disclosed. All Git versions prior to 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1 and 2.19.1 are affected.

The CVE-2018-17456 vulnerability allows an attacker to execute arbitrary code by crafting a malicious .gitmodules file in a project cloned with the flag --recurse-submodules:

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".

Our team is working on updating all the affected solutions available in the  Bitnami catalog. That way, all new installations and cloud launches will use a fixed Git version. If you have a running application that uses  Git, you will need to migrate the content of your deployment to a secured one.

If you have installed Git using the system packages, please update the component when the new package is available for your operating system.

If you have any questions about the security issue or you need support to migrate your data, please post to our community support forum and we will be happy to help!