Patch me if you can: GitLab tackles major security issues, acquires UnReview to smarten up portfolio

GitLab

DevOps platform provider GitLab has pushed out an array of security releases trying to protect its users’ access tokens and reduce the potential for denial of service attacks. Versions 13.12.2, 13.11.5, and 13.10.5 are available right now and updating is strongly recommended given the high severity of some of the fixed issues.

Amongst other things, the updates tackle a cross-site leak vulnerability that affects all GitLab versions since 7.10 and can be used by attackers to leak OAuth access tokens. Malevolent actors would have to lure potential victims to open a specially prepared page in Safari to exploit the problem, but since the consequences can be quite serious, the issue has been given a CVSS score of 8.8 (no CVE ID assigned yet).

CVE-2021-22181 is another high severity issue (CVSS 7.7) mitigated in the releases. The bug has been present since v11.8 and “allows an attacker to create a recursive pipeline relationship and exhaust resources” which leads the system in question to deny service.

All versions before the current releases are vulnerable to two medium severity DoS issues that allow attackers to cause uncontrolled resource consumption with either a specially crafted issue or merge request, or very long issue and merge request descriptions.

On top of that, users on versions newer than 10.5 should consider updating to make sure they’re protected from a newly discovered information disclosure and server-side request forgery vulnerability, which was attributed to an unauthenticated CI lint API. 

In versions 12.9.0 to 13.10.5, 13.11.0 to 13.11.5, and 13.12.0 to 13.12.2 insufficient validation of expired passwords allowed users to maintain limited access once their credentials had expired, which is also fixed now.

Meanwhile GitLab as a company is looking into ways to advance the product set and has now landed on the idea of sprinkling some machine learning (ML) onto its DevOps tooling. To help with this endeavor, GitLab just announced the acquisition of UnReview, a tool that was first introduced in 2020 and uses ML to help identify fitting code reviewers based on their expertise and workload. 

The technology is said to be integrated into the company’s software as a service offering by the end of the year and is touted as a “first step in building GitLab’s Applied Machine Learning for DevOps” by GitLab CTO Eric Johnson. 

Besides helping with review organisation, UnReview’s machine learning algorithm is meant to serve as a starting point for automating “workflow tasks such as the triage of epics and issues including the assigning of issues and suggesting related issues and epics” GitLab states.

UnReview founder Alexander Chueshev will support the process as senior full stack engineer at GitLab. Financial details of the deal haven’t been disclosed to the public, though the company’s handbook mentions total purchase prices not exceeding $1M and offering founders up to $250,000 plus stock option grants.