Is this security alert of any interest.
---------- Forwarded message --------- From: ACSC Alerts alerts.acsc@contact.cyber.gov.au Date: Mon, 15 Jan 2024, 18:16 Subject: [CRITICAL ALERT: ACT NOW] Critical vulnerabilities in GitLab Products To: howard.lowndes@gmail.com
[image: High Alert - Act Quickly]
15 January 2024
Dear ASD's ACSC Alert Service subscriber
This Alert is relevant to Australians who use GitLab on any platform.
These vulnerabilities impact the versions listed below:
- 16.1 to 16.1.5 - 16.2 to 16.2.8 - 16.3 to 16.3.6 - 16.4 to 16.4.4 - 16.5 to 16.5.5 - 16.6 to 16.6.3 - 16.7 to 16.7.1
This alert is intended to be understood by all users.
Customers are encouraged to patch to the latest version using the GitLab upgrade path and to enforce multi-factor authentication for all GitLab accounts*.*
*Background / What’s happened?*
- GitLab has posted a security advisory and patch to address several vulnerabilities, the most severe of which is CVE-2023-7028. - CVE-2023-7028 allows an account take over via the ability to have password reset emails delivered to an unauthenticated email address. - Multi-factor authentication should be enabled immediately for all GitLabs users, and self-managed instances should be upgraded to the latest version as soon as possible. - Users with multi-factor authentication already enabled may be impacted by a password reset, however an attacker would not be able to take over their account using this vulnerability. - GitLab is not aware of any active exploitation of this vulnerability which was discovered via their Bug Bounty program.
*Affected versions / applications:*
- CVE-2023-7028: This vulnerability impacts all versions of GitLab CC/EE from 16.1 to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 - The security release also addresses CVE-2023-5356, CVE-2023-4812, CVE2023-6955 and CVE-2023-2030.
*Mitigation / How do I stay secure?*
- Multi-factor authentication should be enabled immediately for all GitLabs users. - Self-managed instances should be upgraded to the latest version as soon as possible. GitLab advises managed instances have now all had the patch applied. - Further information and details to investigate potential compromise can be found in the GitLab Security release linked below:
https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitla...
*Assistance / Where can I go for help?*
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371) <%201300%20292%20371>.
*Read this alert on the website: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/cri... https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-in-gitlab-products https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/citrix-products-netscaler-adc-and-netscaler-gateway-zero-day-vulnerability*
*Are you a victim of cybercrime? Visit ReportCyber https://www.cyber.gov.au/report-and-recover/report to take your next steps.*
*We use hyperlinks to give you more information. If you don't want to click hyperlinks, you can search for the information on ASD's ACSC Website.*
*CONTACT US*
Web: https://www.cyber.gov.au https://www.cyber.gov.au/about-us/about-acsc/contact-us
X (Twitter): https://twitter.com/CyberGovAU
Facebook: https://www.facebook.com/cybergovau LinkedIn: https://www.linkedin.com/company/australian-cyber-security-centre [image: Facebook] https://www.facebook.com/cybergovau [image: Twitter] https://twitter.com/cybergovau [image: YouTube] https://www.youtube.com/channel/UChO_bPg4QOWxSOzH4OYw3Tg/featured [image: LinkedIn] https://www.linkedin.com/company/australian-cyber-security-centre
Was this alert helpful? * Yes https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=yes* | *No https://www.cyber.gov.au/asf?alert_subject=Critical%20vulnerabilities%20in%20GitLab%20Products&alert_yn=no*
You are receiving this message at the address howard.lowndes@gmail.com If you no longer wish to receive this information, you can unsubscribe https://p-2581519.secure.force.com/dc/t/gobal-email-opt-out/cgndc6moogvrzynwza6enhsqtcivwhu4diebuv5zf784