GitLab published a security advisory against a critical authenticated remote code execution vulnerability in GitLab on 22 April. The vulnerability tracked as CVE-2022-2884 with a base score of 9.9 in the Common Vulnerability Scoring System is a Critical severity vulnerability that allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. It is important for all the GitLab users to know about the CVE-2022-2884 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Let’s start the post from the summary of the CVE-2022-2884 vulnerability.
Table of Contents
Summary of CVE-2022-2884
This is a critical authenticated remote code execution vulnerability in GitLab with a CVSS score 9.9. Attackers can exploit this flaw by triggering GitHub API endpoint. Successful exploitation could allow attackers to inject malware, run malicious code, and take complete control of the victim machine.
|Associated CVE ID||CVE-2022-2884|
|Description||A Critical Authenticated Remote Code Execution Vulnerability in GitLab|
|Associated ZDI ID||–|
|CVSS Score||9.9 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR||Low|
|User Interaction (UI)||None|
GitLab Versions Affected By The CVE-2022-2884 Vulnerability
advisory says that this remote code execution Vulnerability in GitLab affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, from 15.2 before 15.2.3, and 15.3 before 15.3.1.
How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab?
GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.3.1, 15.2.3, and 15.1.5. We recommend you upgrade your GitLab to any of these versions to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab.
The best practice is to restrict GitLab access from the public network and disable GitHub import. Since attacks are prone to the GitLab exposed to the internet, we recommend not to host the GitLab directly to the internet. Deploy it behind the VPN gateways. or publish them on a secure platform like Citrix.
Workaround to Protect your GitLab from CVE-2022-2884
If you are not in a position to upgrade GitLab to the patched versions, it is recommend to disable GitHub import. Follow these steps to disable the GitHub import:
- Sign in to GitLab as an Administrator.
- On the top bar, select Menu > Admin.
- On the left sidebar, select Settings > General.
- Expand the Visibility and access controls.
- Under “Import sources” disable the “GitHub” option.
- Click “Save changes”.
If you want to verify the applied workaround is in function.
- Sign in to GitLab as an User.
- Click “+” on the top bar.
- Click “New project/repository”.
- Click “Import project”.
- Verify that “GitHub” does not appear as an import option.
Time needed: 10 minutes
How to upgrade GitLab to the latest version?
GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:
1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations
- Create backup before the upgrade
It is highly recommended to have a full up-to-date backup before you begin.
- Add GitLab official repositories
gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.
gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.
gitlab/unstable: Release candidates and other unstable versions.
gitlab/nightly-builds: Nightly builds.
gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.
You can run this command to update the latest repositories if you have GitLab installed on your server.
$ sudo apt update
- Upgrade GitLab to the latest version using the official repositories
To upgrade to the latest GitLab version:
$ sudo apt upgrade gitlab-ee
# RHEL/CentOS 6 and 7
$ sudo yum upgrade gitlab-ee
# RHEL/CentOS 8
$ sudo dnf upgrade gitlab-ee
$ sudo zypper upgrade gitlab-ee
Note: For the GitLab Community Edition, replace
- Upgrade GitLab to a specific version
Use these commands with a version number to upgrade GitLab to a specific version.
$ sudo apt install gitlab-ee=<version>
# RHEL/CentOS 6 and 7
$ sudo yum install gitlab-ee-<version>
# RHEL/CentOS 8
$ sudo dnf install gitlab-ee-<version>
$ sudo zypper install gitlab-ee=<version>
- Upgrade GitLab using a manually-downloaded package
After the package is downloaded, install it by using one of the following commands and replacing
<package_name>with the package name you downloaded:
$ dpkg -i <package_name>
$ rpm -Uvh <package_name>
$ zypper install <package_name>
We hope this post would help you know how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.