Fwd: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products
Is this security alert of any interest.
---------- Forwarded message --------- From: ACSC Alerts alerts.acsc@contact.cyber.gov.au Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: howard.lowndes@gmail.com
[image: High Alert - Act Quickly]
15 January 2024
Dear ASD's ACSC Alert Service subscriber
This Alert is relevant to Australians who use GitLab on any platform.
These vulnerabilities impact the versions listed below:
- 16.1 to 16.1.5 - 16.2 to 16.2.8 - 16.3 to 16.3.6 - 16.4 to 16.4.4 - 16.5 to 16.5.5 - 16.6 to 16.6.3 - 16.7 to 16.7.1
This alert is intended to be understood by all users.
Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.*
*Background / What’s happened?*
- GitLab has posted a security advisory and patch to address several vulnerabilities, the most severe of which is CVE-2023-7028. - CVE-2023-7028 allows an account take over via the ability to have password reset emails delivered to an unauthenticated email address. - Multi-factor authentication should be enabled immediately for all GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible. - Users with multi-factor authentication already enabled may be impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability. - GitLab is not aware of any active exploitation of this vulnerability which was discovered via their Bug Bounty program.
*Affected versions / applications:*
- CVE-2023-7028: This vulnerability impacts all versions of GitLab CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 - The security release also addresses CVE-2023-5356, CVE-2023-4812, CVE2023-6955 and CVE-2023-2030.
*Mitigation / How do I stay secure?*
- Multi-factor authentication should be enabled immediately for all GitLabs users. - Self-managed instances should be upgraded to the latest version as soon as possible. GitLab advises managed instances have now all had the patch applied. - Further information and details to investigate potential compromise can be found in the GitLab Security release linked below:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitla...
*Assistance / Where can I go for help?*
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>.
*Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cri... https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-gitlab-products https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability*
*Are you a victim of cybercrime? Visit ReportCyber https://www.cyber.gov.au/report-and-recover/report to take your next steps.*
*We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.*
*CONTACT US*
Web: https://www.cyber.gov.au https://www.cyber.gov.au/about-us/about-acsc/contact-us
X (Twitter): https://twitter.com/CyberGovAU
Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] https://www.facebook.com/cybergovau [image: Twitter] https://twitter.com/cybergovau [image: YouTube] https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured [image: LinkedIn] https://www.linkedin.com/company/australian-cyber-security-centre
Was this alert helpful? * Yes https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=yes* | *No https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=no*
You are receiving this message at the address howard.lowndes@gmail.com If you no longer wish to receive this information, you can unsubscribe https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzynwza6enhsqtcivwhu4diebuv5zf784
Hi Howard,
Thanks for forwarding. Although users may be using GitLab in their organizations, the LedgerSMB project itself doesn't use GitLab, so this specific report does not apply to resources used by the project.
Regards,
Erik.
On Mon, Jan 15, 2024 at 11:45 AM Howard Lowndes howard.lowndes@gmail.com wrote:
Is this security alert of any interest.
---------- Forwarded message --------- From: ACSC Alerts alerts.acsc@contact.cyber.gov.au Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: howard.lowndes@gmail.com
[image: High Alert - Act Quickly]
15 January 2024
Dear ASD's ACSC Alert Service subscriber
This Alert is relevant to Australians who use GitLab on any platform.
These vulnerabilities impact the versions listed below:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
This alert is intended to be understood by all users.
Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.*
*Background / What’s happened?*
- GitLab has posted a security advisory and patch to address several
vulnerabilities, the most severe of which is CVE-2023-7028.
- CVE-2023-7028 allows an account take over via the ability to have
password reset emails delivered to an unauthenticated email address.
- Multi-factor authentication should be enabled immediately for all
GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible.
- Users with multi-factor authentication already enabled may be
impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability.
- GitLab is not aware of any active exploitation of this vulnerability
which was discovered via their Bug Bounty program.
*Affected versions / applications:*
- CVE-2023-7028: This vulnerability impacts all versions of GitLab
CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2
- The security release also addresses CVE-2023-5356, CVE-2023-4812,
CVE2023-6955 and CVE-2023-2030.
*Mitigation / How do I stay secure?*
- Multi-factor authentication should be enabled immediately for all
GitLabs users.
- Self-managed instances should be upgraded to the latest version as
soon as possible. GitLab advises managed instances have now all had the patch applied.
- Further information and details to investigate potential compromise
can be found in the GitLab Security release linked below:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitla...
*Assistance / Where can I go for help?*
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>.
*Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cri... https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-gitlab-products https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability*
*Are you a victim of cybercrime? Visit ReportCyber https://www.cyber.gov.au/report-and-recover/report to take your next steps.*
*We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.*
*CONTACT US*
Web: https://www.cyber.gov.au https://www.cyber.gov.au/about-us/about-acsc/contact-us
X (Twitter): https://twitter.com/CyberGovAU
Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] https://www.facebook.com/cybergovau [image: Twitter] https://twitter.com/cybergovau [image: YouTube] https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured [image: LinkedIn] https://www.linkedin.com/company/australian-cyber-security-centre
Was this alert helpful? * Yes https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=yes* | *No https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=no*
You are receiving this message at the address howard.lowndes@gmail.com If you no longer wish to receive this information, you can unsubscribe https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzynwza6enhsqtcivwhu4diebuv5zf784
users mailing list -- users@lists.ledgersmb.org To unsubscribe send an email to users-leave@lists.ledgersmb.org
Thanks for the clarification.
On Tue, 16 Jan 2024, 07:57 Erik Huelsmann, ehuels@gmail.com wrote:
Hi Howard,
Thanks for forwarding. Although users may be using GitLab in their organizations, the LedgerSMB project itself doesn't use GitLab, so this specific report does not apply to resources used by the project.
Regards,
Erik.
On Mon, Jan 15, 2024 at 11:45 AM Howard Lowndes howard.lowndes@gmail.com wrote:
Is this security alert of any interest.
---------- Forwarded message --------- From: ACSC Alerts alerts.acsc@contact.cyber.gov.au Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: howard.lowndes@gmail.com
[image: High Alert - Act Quickly]
15 January 2024
Dear ASD's ACSC Alert Service subscriber
This Alert is relevant to Australians who use GitLab on any platform.
These vulnerabilities impact the versions listed below:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
This alert is intended to be understood by all users.
Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.*
*Background / What’s happened?*
- GitLab has posted a security advisory and patch to address several
vulnerabilities, the most severe of which is CVE-2023-7028.
- CVE-2023-7028 allows an account take over via the ability to have
password reset emails delivered to an unauthenticated email address.
- Multi-factor authentication should be enabled immediately for all
GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible.
- Users with multi-factor authentication already enabled may be
impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability.
- GitLab is not aware of any active exploitation of this
vulnerability which was discovered via their Bug Bounty program.
*Affected versions / applications:*
- CVE-2023-7028: This vulnerability impacts all versions of GitLab
CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2
- The security release also addresses CVE-2023-5356, CVE-2023-4812,
CVE2023-6955 and CVE-2023-2030.
*Mitigation / How do I stay secure?*
- Multi-factor authentication should be enabled immediately for all
GitLabs users.
- Self-managed instances should be upgraded to the latest version as
soon as possible. GitLab advises managed instances have now all had the patch applied.
- Further information and details to investigate potential compromise
can be found in the GitLab Security release linked below:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitla...
*Assistance / Where can I go for help?*
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>.
*Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cri... https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-gitlab-products https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability*
*Are you a victim of cybercrime? Visit ReportCyber https://www.cyber.gov.au/report-and-recover/report to take your next steps.*
*We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.*
*CONTACT US*
Web: https://www.cyber.gov.au https://www.cyber.gov.au/about-us/about-acsc/contact-us
X (Twitter): https://twitter.com/CyberGovAU
Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] https://www.facebook.com/cybergovau [image: Twitter] https://twitter.com/cybergovau [image: YouTube] https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured [image: LinkedIn] https://www.linkedin.com/company/australian-cyber-security-centre
Was this alert helpful? * Yes https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=yes* | *No https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=no*
You are receiving this message at the address howard.lowndes@gmail.com If you no longer wish to receive this information, you can unsubscribe https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzynwza6enhsqtcivwhu4diebuv5zf784
users mailing list -- users@lists.ledgersmb.org To unsubscribe send an email to users-leave@lists.ledgersmb.org
-- Bye,
Erik.
http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
participants (3)
-
alianamartin879@gmail.com
-
Erik Huelsmann
-
Howard Lowndes