! [](/Article/UploadPic/2017-3/2017321152034247. png? www. myhack58. com)
GitLab yesterday released a 8. 17. 4 and 8.16. 8 and 8. 15. 8 version of the Community Edition and Enterprise Edition, fix multiple high-risk vulnerabilities, including one for a critical information disclosure vulnerability Update Patch for SSRF attack protection, as well as for can lead to the Atom source in a private e-mail address disclosure vulnerability patch, ElasticSearch in the private library data leak patches, etc.
GitLab especially in its update log mentioned, the internal code review process, in GitLab Issues and Merge Request tracker found a Critical level of high-risk vulnerabilities, and therefore strongly recommends that affected users upgrade as soon as possibleγ
Vulnerability number
CVE-2017-0882
Vulnerability description
Vulnerability can lead to have the other user send the issue or merge request permissions the attacker access to the userβs private token, email token, email addresses and encrypted OTP secret. Want to take advantage of the vulnerability need to have the Reporter levels of permissions. By the Gitlab API and these sensitive information, will be able to the user authority to operate, if the target user is an administrator, you may produce a greater harm.
The vulnerability is caused on the user object serialization is the process of a bug, the issue from GitLab 8.7.0 version began to appear.
Impact version
8.7. 0 to 8. 15. 7
8.16. 0 to 8. 16. 7
8.17. 0 to 8. 17. 3
Post-upgrade considerations
Due to the vulnerability of nature, the user of the token may be cached at the proxy or the browser. Therefore recommends webmasters to reset all userβs private token and the email token.
One-time password(OTP)secret also possible due to vulnerability and disclosure. These secret are encrypted, a key is required to decrypt, and cannot in the absence of user password. Nevertheless, it is recommended that the one-time password feature is turned off and then re-open, thereby to reset the OTP secret.
Reset user Tokens step
The use of Omnibus user will the following source code is saved to: /opt/gitlab/embedded/service/gitlab-rails/lib/tasks/reset_token. rake
Using the source installation of the user saved to: /lib/tasks/reset_token. rake
require_relative ββ¦/β¦/app/models/concerns/token_authenticatable. rbβ
STDOUT. sync = true
namespace :tokens do
desc βReset all GitLab user auth tokensβ
task reset_all: :environment do
reset_all_users_token(:reset_authentication_token!)
end
desc βReset all GitLab email tokensβ
task reset_all_email: :environment do
reset_all_users_token(:reset_incoming_email_token!)
end
def reset_all_users_token(token)
TmpUser. find_in_batches do |batch|
puts βProcessing batch starting with user ID: #{batch. first. id}β
batch. each(&token)
end
end
end
class TmpUser
include TokenAuthenticatable
self. table_name = βusersβ
def reset_authentication_token!
write_new_token(:authentication_token)
save! (validate: false)
end
def reset_incoming_email_token!
write_new_token(:incoming_email_token)
save! (validate: false)
end
end
Omnibus user run
sudo gitlab-rake tokens:reset_all
sudo gitlab-rake tokens:reset_all_email
The source code of the user running
sudo-u git-H bundle exec rake tokens:reset_all RAILS_ENV=production
sudo-u git-H bundle exec rake tokens:reset_all_email RAILS_ENV=production
Executed all after the operation you can put the rake file to delete.
Temporary patch
For some unable to upgrade the user can use the following patch:
Omnibus user:
$ cd /opt/gitlab/embedded/service/gitlab-rails/
$ git apply
$ sudo gitlab-ctl restart unicorn
Source code users:
$ cd
diff --git a/app/controllers/projects/issues_controller. rb b/app/controllers/projects/issues_controller. rb
index 1151555β¦857d907 100644
-β a/app/controllers/projects/issues_controller. rb
+++ b/app/controllers/projects/issues_controller. rb
@@ -129,7 +129,7 @@ class Projects::IssuesController
end
format. json do
- render json: @issue. to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
+ render json: @issue. to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
end
end
diff --git a/app/controllers/projects/merge_requests_controller. rb b/app/controllers/projects/merge_requests_controller. rb
index 82f9b6eβ¦677a8a1 100644
-β a/app/controllers/projects/merge_requests_controller. rb
+++ b/app/controllers/projects/merge_requests_controller. rb
@@ -308,7 +308,7 @@ class Projects::MergeRequestsController
end
format. json do
- render json: @merge_request. to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])