Is this security alert of any interest. ---------- Forwarded message --------- From: ACSC Alerts <alerts.acsc@contact.cyber.gov.au> Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: <howard.lowndes@gmail.com> [image: High Alert - Act Quickly] 15 January 2024 Dear ASD's ACSC Alert Service subscriber This Alert is relevant to Australians who use GitLab on any platform. These vulnerabilities impact the versions listed below: - 16.1 to 16.1.5 - 16.2 to 16.2.8 - 16.3 to 16.3.6 - 16.4 to 16.4.4 - 16.5 to 16.5.5 - 16.6 to 16.6.3 - 16.7 to 16.7.1 This alert is intended to be understood by all users. Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.* *Background / What’s happened?* - GitLab has posted a security advisory and patch to address several vulnerabilities, the most severe of which is CVE-2023-7028. - CVE-2023-7028 allows an account take over via the ability to have password reset emails delivered to an unauthenticated email address. - Multi-factor authentication should be enabled immediately for all GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible. - Users with multi-factor authentication already enabled may be impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability. - GitLab is not aware of any active exploitation of this vulnerability which was discovered via their Bug Bounty program. *Affected versions / applications:* - CVE-2023-7028: This vulnerability impacts all versions of GitLab CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 - The security release also addresses CVE-2023-5356, CVE-2023-4812, CVE2023-6955 and CVE-2023-2030. *Mitigation / How do I stay secure?* - Multi-factor authentication should be enabled immediately for all GitLabs users. - Self-managed instances should be upgraded to the latest version as soon as possible. GitLab advises managed instances have now all had the patch applied. - Further information and details to investigate potential compromise can be found in the GitLab Security release linked below: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitla... *Assistance / Where can I go for help?* Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>. *Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cri... <https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-gitlab-products> <https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability>* *Are you a victim of cybercrime? Visit ReportCyber <https://www.cyber.gov.au/report-and-recover/report> to take your next steps.* *We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.* *CONTACT US* Web: https://www.cyber.gov.au <https://www.cyber.gov.au/about-us/about-acsc/contact-us> X (Twitter): https://twitter.com/CyberGovAU Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] <https://www.facebook.com/cybergovau> [image: Twitter] <https://twitter.com/cybergovau> [image: YouTube] <https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured> [image: LinkedIn] <https://www.linkedin.com/company/australian-cyber-security-centre> Was this alert helpful? * Yes <https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=yes>* | *No <https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=no>* You are receiving this message at the address howard.lowndes@gmail.com If you no longer wish to receive this information, you can unsubscribe <https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzynwza6enhsqtcivwhu4diebuv5zf784>