Table of Contents
  • Home
  • /
  • Blog
  • /
  • How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab
August 25, 2022
|
5m

How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab


How To Fix Cve 2022 2884 A Remote Code Execution Vulnerability In Gitlab

GitLab published a security advisory against a critical authenticated remote code execution vulnerability in GitLab on 22 April. The vulnerability tracked as CVE-2022-2884 with a base score of 9.9 in the Common Vulnerability Scoring System is a Critical severity vulnerability that allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. It is important for all the GitLab users to know about the CVE-2022-2884 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Let’s start the post from the summary of the CVE-2022-2884 vulnerability.

Summary of CVE-2022-2884

This is a critical authenticated remote code execution vulnerability in GitLab with a CVSS score 9.9. Attackers can exploit this flaw by triggering GitHub API endpoint. Successful exploitation could allow attackers to inject malware, run malicious code, and take complete control of the victim machine. 

Associated CVE IDCVE-2022-2884
DescriptionA Critical Authenticated Remote Code Execution Vulnerability in GitLab
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PRLow
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
Availability (a)High

GitLab Versions Affected By The CVE-2022-2884 Vulnerability

advisory says that this remote code execution Vulnerability in GitLab affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, from 15.2 before 15.2.3, and 15.3 before 15.3.1.

How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab?

GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.3.1, 15.2.3, and 15.1.5. We recommend you upgrade your GitLab to any of these versions to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab.

The best practice is to restrict GitLab access from the public network and disable GitHub import. Since attacks are prone to the GitLab exposed to the internet, we recommend not to host the GitLab directly to the internet. Deploy it behind the VPN gateways. or publish them on a secure platform like Citrix.

Workaround to Protect your GitLab from CVE-2022-2884

If you are not in a position to upgrade GitLab to the patched versions, it is recommend to disable GitHub import. Follow these steps to disable the GitHub import:

  1. Sign in to GitLab as an Administrator.

  2. On the top bar, select Menu > Admin.

  3. On the left sidebar, select Settings > General.

  4. Expand the Visibility and access controls.

  5. Under “Import sources” disable the “GitHub” option.

  6. Click “Save changes”.

If you want to verify the applied workaround is in function.

  1. Sign in to GitLab as an User.

  2. Click “+” on the top bar.

  3. Click “New project/repository”.

  4. Click “Import project”.

  5. Verify that “GitHub” does not appear as an import option.

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:
1.
Linux packages (Omnibus GitLab)
2.
Source installations
3.
Docker installations
4.
Kubernetes (Helm) installations

Step 1. Create backup before the upgrade

It is highly recommended to have a full up-to-date backup before you begin.

Step 2. Add GitLab official repositories

1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.2. gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.3. gitlab/unstable: Release candidates and other unstable versions.4. gitlab/nightly-builds: Nightly builds.5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.
You can run this command to update the latest repositories if you have
GitLab installed on your server.

$ sudo apt update

Step 3. Upgrade GitLab to the latest version using the official repositories

To upgrade to the latest GitLab version:
#
Ubuntu/Debian
$ sudo apt upgrade gitlab-ee

# RHEL/
CentOS 6 and 7
$ sudo yum upgrade gitlab-ee

# RHEL/CentOS 8
$ sudo dnf upgrade gitlab-ee

# SUSE
$ sudo zypper upgrade gitlab-ee

Note: For the
GitLab Community Edition, replace
gitlab-ee with gitlab-ce.

Step 4. Upgrade GitLab to a specific version

Use these commands with a version number to upgrade GitLab to a specific version.
#
Ubuntu/Debian
$ sudo apt install gitlab-ee=<version>

# RHEL/CentOS 6 and 7
$ sudo yum install gitlab-ee-<version>

# RHEL/
CentOS 8
$ sudo dnf install gitlab-ee-<version>

# SUSE
$ sudo zypper install gitlab-ee=<version>

Step 5. Upgrade GitLab using a manually-downloaded package

After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:
# Debian/
Ubuntu
$ dpkg -i <package_name>

#
CentOS/RHEL
$ rpm -Uvh <package_name>

# SUSE
$ zypper install <package_name>

We hope this post would help you know how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe