How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab

GitLab published a security advisory against a critical authenticated remote code execution vulnerability in GitLab on 22 April. The vulnerability tracked as CVE-2022-2884 with a base score of 9.9 in the Common Vulnerability Scoring System is a Critical severity vulnerability that allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. It is important for all the GitLab users to know about the CVE-2022-2884 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Let’s start the post from the summary of the CVE-2022-2884 vulnerability.

Summary of CVE-2022-2884

This is a critical authenticated remote code execution vulnerability in GitLab with a CVSS score 9.9. Attackers can exploit this flaw by triggering GitHub API endpoint. Successful exploitation could allow attackers to inject malware, run malicious code, and take complete control of the victim machine. 

GitLab Versions Affected By The CVE-2022-2884 Vulnerability

advisory says that this remote code execution Vulnerability in GitLab affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, from 15.2 before 15.2.3, and 15.3 before 15.3.1.

How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab?

GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.3.1, 15.2.3, and 15.1.5. We recommend you upgrade your GitLab to any of these versions to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab.

The best practice is to restrict GitLab access from the public network and disable GitHub import. Since attacks are prone to the GitLab exposed to the internet, we recommend not to host the GitLab directly to the internet. Deploy it behind the VPN gateways. or publish them on a secure platform like Citrix.

Workaround to Protect your GitLab from CVE-2022-2884

If you are not in a position to upgrade GitLab to the patched versions, it is recommend to disable GitHub import. Follow these steps to disable the GitHub import:

If you want to verify the applied workaround is in function.

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:
1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations

Step 1. Create backup before the upgrade

It is highly recommended to have a full up-to-date backup before you begin.

Step 2. Add GitLab official repositories

1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.2. gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.3. gitlab/unstable: Release candidates and other unstable versions.4. gitlab/nightly-builds: Nightly builds.5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.
You can run this command to update the latest repositories if you have GitLab installed on your server.

$ sudo apt update

Step 3. Upgrade GitLab to the latest version using the official repositories

To upgrade to the latest GitLab version:
# Ubuntu/Debian
$ sudo apt upgrade gitlab-ee

# RHEL/CentOS 6 and 7
$ sudo yum upgrade gitlab-ee

# RHEL/CentOS 8
$ sudo dnf upgrade gitlab-ee

# SUSE
$ sudo zypper upgrade gitlab-ee

Note: For the GitLab Community Edition, replace gitlab-ee with gitlab-ce.

Step 4. Upgrade GitLab to a specific version

Use these commands with a version number to upgrade GitLab to a specific version.
# Ubuntu/Debian
$ sudo apt install gitlab-ee=<version>

# RHEL/CentOS 6 and 7
$ sudo yum install gitlab-ee-<version>

# RHEL/CentOS 8
$ sudo dnf install gitlab-ee-<version>

# SUSE
$ sudo zypper install gitlab-ee=<version>

Step 5. Upgrade GitLab using a manually-downloaded package

After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:
# Debian/Ubuntu
$ dpkg -i <package_name>

# CentOS/RHEL
$ rpm -Uvh <package_name>

# SUSE
$ zypper install <package_name>

We hope this post would help you know how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: