No tokens for you: GitLab flings out critical security patches

DevOps platform provider GitLab has released critical security updates 14.8.2, 14.7.4, and 14.6.5, strongly recommending users to upgrade their installations or at least hotpatch their instances in order to keep them secure.

Amongst the issues fixed in the release is a critical severity vulnerability affecting all versions starting from 12.10. Due to an information disclosure issue in the quick actions implementation, CVE-2022-0735, which scored a CVSS of 9.6, could help unauthorised users to get their hands on runner registration tokens. Users not on version 14.6 or above who can’t just jump on any of the new releases to fix the issue should consider applying a patch, variants of which are currently available for versions 14.5.4, 14.4.5, 14.3.4, 14.2.7, 14.1.8, 14.0.12 and 13.12.15.

Teams should be aware that the update “will reset runner registration tokens for your group and projects. If you use an automated process (scripts that encode the value of the registration token) to register runners, this update will break that process. However, it should have no effect on previously registered runners.”

Admins are advised to backup tokens before making the update, and use the backup to “identify potentially malicious registration tokens, or rogue runners” later on by checking if any of the revoked tokens re-appear. 

Other than that the new releases include fixes for five medium and one low severity issues and updates to Mattermost and Grafana meant to mitigate security concerns. If not updated, all older GitLab versions are for instance susceptible to unauthorised actors using the sendmail delivery method to leak environment variables (CVE-2022-0741), while versions newer than 14.6 can leak user passwords when adding pull mirrors with SSH credentials (CVE-2022-0738).

The GitLab team modified the GraphQL API to make sure the contents of Snippet files are displayed correctly, since some issues there could be used to trick users into executing arbitrary commands (CVE-2022-0751). In versions starting from 13.0 the same API could be used to gain information about valid system users, which should be mitigated now.

Versions before GitLab 14.3.6 also contained an issue that allowed the REST API to let unprivileged users add others to groups even though this wouldn’t be possible via the UI (CVE-2022-0549), which is fixed in the updates as well. 

Further details on the vulnerabilities tackled in the new versions aren’t available yet, but are promised to be publicly shared in late March 2022.