Page MenuHomePhabricator
Create Task
Maniphest T336085

GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7
Closed, ResolvedPublicSecurity
Actions

Description

Blog post: https://about.gitlab.com/releases/2023/05/05/critical-security-release-gitlab-15-11-2-released/

Includes one fix, for:

Table of Fixes
Title 	Severity
Malicious Runner Attachment via GraphQL 	critical

docs

Test instance:

  • gitlab-prod-1002.devtools.eqiad1.wikimedia.cloud
  • gitlab-runner-1002.devtools.eqiad1.wikimedia.cloud
  • gitlab-runner-1003.devtools.eqiad1.wikimedia.cloud

Replicas:

  • gitlab1003.wikimedia.org
  • gitlab1004.wikimedia.org

Production:

  • gitlab2002.wikimedia.org
  • Trusted runners
  • Shared runners
  • Cloud runners

Details

Risk Rating
High
Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

Jelto created this task.May 5 2023, 9:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 5 2023, 9:15 PM
Jelto changed the task status from Open to In Progress.May 5 2023, 9:18 PM
Jelto claimed this task.
Jelto triaged this task as High priority.
Jelto updated the task description. (Show Details)
Jelto added projects: collaboration-services, GitLab (Infrastructure).

I updated gitlab-ce to 15.9.7-ce.0 and proceed with updating the test instance.

Only the gitlab server instances need a upgrade, runners don't need a upgrade.

Jelto moved this task from Incoming to Work in Progress on the collaboration-services board.May 5 2023, 9:20 PM
Jelto updated the task description. (Show Details)May 5 2023, 9:45 PM

I updated the test instance to 15.9.7-ce.0

I'll proceed with replicas and production tomorrow morning. There are no suspicious runners registered and I disabled registration of new runners temporarily under https://gitlab.wikimedia.org/admin/application_settings/ci_cd.

Jelto added subscribers: LSobanski, eoghan, MoritzMuehlenhoff.May 5 2023, 10:01 PM
Jelto updated the task description. (Show Details)May 6 2023, 7:48 AM
Jelto updated the task description. (Show Details)May 6 2023, 8:53 AM
Jelto closed this task as Resolved.May 6 2023, 8:57 AM

All hosts upgraded. I enabled registration of new runners again.

Cookbooks failed due to T335855.

Jelto mentioned this in T333347: Phabricator does not degrade properly when GitLab is unavailable.May 6 2023, 8:58 AM
thcipriani awarded a token.May 8 2023, 4:24 PM
sbassett edited projects, added Vuln-VulnComponent, SecTeam-Processed; removed Security-Team.May 8 2023, 5:47 PM
sbassett awarded a token.
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to High.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits