• Home
  • |
  • Blog
  • |
  • How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab
How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab

GitLab published a security advisory against a critical authenticated remote code execution vulnerability in GitLab on 22 April. The vulnerability tracked as CVE-2022-2884 with a base score of 9.9 in the Common Vulnerability Scoring System is a Critical severity vulnerability that allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. It is important for all the GitLab users to know about the CVE-2022-2884 vulnerability and fix it up as soon as they can. In this post, let’s see the summary, versions affected, and finally how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Let’s start the post from the summary of the CVE-2022-2884 vulnerability.

Summary of CVE-2022-2884

This is a critical authenticated remote code execution vulnerability in GitLab with a CVSS score 9.9. Attackers can exploit this flaw by triggering GitHub API endpoint. Successful exploitation could allow attackers to inject malware, run malicious code, and take complete control of the victim machine. 

Associated CVE IDCVE-2022-2884
DescriptionA Critical Authenticated Remote Code Execution Vulnerability in GitLab
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PRLow
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
Availability (a)High

GitLab Versions Affected By The CVE-2022-2884 Vulnerability

advisory says that this remote code execution Vulnerability in GitLab affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 11.3.4 before 15.1.5, from 15.2 before 15.2.3, and 15.3 before 15.3.1.

How to Fix CVE-2022-2884- A Remote Code Execution Vulnerability in GitLab?

GitLab responded these flaws by releasing security updates. All these vulnerabilities were fixed in versions 15.3.1, 15.2.3, and 15.1.5. We recommend you upgrade your GitLab to any of these versions to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab.

The best practice is to restrict GitLab access from the public network and disable GitHub import. Since attacks are prone to the GitLab exposed to the internet, we recommend not to host the GitLab directly to the internet. Deploy it behind the VPN gateways. or publish them on a secure platform like Citrix.

Workaround to Protect your GitLab from CVE-2022-2884

If you are not in a position to upgrade GitLab to the patched versions, it is recommend to disable GitHub import. Follow these steps to disable the GitHub import:

  1. Sign in to GitLab as an Administrator.
  2. On the top bar, select Menu > Admin.
  3. On the left sidebar, select Settings > General.
  4. Expand the Visibility and access controls.
  5. Under “Import sources” disable the “GitHub” option.
  6. Click “Save changes”.

If you want to verify the applied workaround is in function.

  1. Sign in to GitLab as an User.
  2. Click “+” on the top bar.
  3. Click “New project/repository”.
  4. Click “Import project”.
  5. Verify that “GitHub” does not appear as an import option.

Time needed: 10 minutes.

How to upgrade GitLab to the latest version?

GitLab upgradation process depends on the installation methods followed in your organization. GitLab officially supports four different ways of upgradation process:

1. Linux packages (Omnibus GitLab)
2. Source installations
3. Docker installations
4. Kubernetes (Helm) installations

  1. Create backup before the upgrade

    It is highly recommended to have a full up-to-date backup before you begin.

  2. Add GitLab official repositories

    1. gitlab/gitlab-ee: The full GitLab package contains all the Community Edition features plus the Enterprise Edition ones.
    2. gitlab/gitlab-ce: A stripped-down package that contains only the Community Edition features.
    3. gitlab/unstable: Release candidates and other unstable versions.
    4. gitlab/nightly-builds: Nightly builds.
    5. gitlab/raspberry-pi2: Official Community Edition releases built for Raspberry Pi packages.

    You can run this command to update the latest repositories if you have GitLab installed on your server.

    $ sudo apt update

  3. Upgrade GitLab to the latest version using the official repositories

    To upgrade to the latest GitLab version:

    # Ubuntu/Debian
    $ sudo apt upgrade gitlab-ee

    # RHEL/CentOS 6 and 7
    $ sudo yum upgrade gitlab-ee

    # RHEL/CentOS 8
    $ sudo dnf upgrade gitlab-ee

    # SUSE
    $ sudo zypper upgrade gitlab-ee

    Note: For the GitLab Community Edition, replace gitlab-ee with gitlab-ce.

  4. Upgrade GitLab to a specific version

    Use these commands with a version number to upgrade GitLab to a specific version.

    # Ubuntu/Debian
    $ sudo apt install gitlab-ee=<version>

    # RHEL/CentOS 6 and 7
    $ sudo yum install gitlab-ee-<version>

    # RHEL/CentOS 8
    $ sudo dnf install gitlab-ee-<version>

    # SUSE
    $ sudo zypper install gitlab-ee=<version>

  5. Upgrade GitLab using a manually-downloaded package

    After the package is downloaded, install it by using one of the following commands and replacing <package_name> with the package name you downloaded:

    # Debian/Ubuntu
    $ dpkg -i <package_name>

    # CentOS/RHEL
    $ rpm -Uvh <package_name>

    # SUSE
    $ zypper install <package_name>

We hope this post will help you know how to fix CVE-2022-2884, a critical authenticated remote code execution vulnerability in GitLab. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.