Are the vulnerabilities detailed at https://about.gitlab.com/releases/2022/06/30/critical-security-release-gitlab-15-1-1-released/ present in Gitlab Omni 13.12.12 please?

Hi,

Is anyone able to confirm if the vulnerabilities detailed at GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 | GitLab are present in Gitlab Omni 13.12.12 please?

As you would expect, I am particularly interested in the critical / high ones.

Thanks,

B

Probably, but I guess noone care as that version has been out of security support for a long time (since 22 August 2021). So if you care about security you shouldn’t be running it anyway.

Not only that, there was a critical CVE related to it being compromised which affected older versions and ended up with cryptominers running on the server and high cpu usage. If your server is accessible to the internet, then you should be upgrading regularly, eg: every week to ensure that it is not vulnerable.

Even if it’s not accessible to the internet, some sort of upgrade process should be followed, since compromised computers in the office could cause issues with the server if they have access to it.

1 Like

Thanks for your input @iwalker / @grove

I agree with your views and I will not comment on our security as you would expect

Gitlab Inc. state in the release info that the vulnerability is not present in our version
I should have checked that before posting - I wont bore you with the reasons why I didn’t

That GitLab Inc. doesn’t mention your version in the report, might just stem from the fact that it wasn’t a version they cared about, it didn’t even share major version with any versions they cared about. The announcement just said “affecting all versions starting from 14.0 prior to 14.10.5” (and all other reports I have seen used similar wording), I wouldn’t read that so say that 13.12.12 wasn’t vulnerable, just that they didn’t feel a need to check whether the vulnerable code was introduced in 14.0 or if it was already present prior.

Each individual vulnerability in a Security release details which versions of GitLab are vulnerable to that vulnerability.

Every vulnerability in a Security release will have the first release that contained that vulnerability and each subsequent version that contains the vulnerability.

For example, for CVE-2022-2185: Remote Command Execution via Project Imports, the release post states that:

A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1

This indicates that the vunerability was first introduced in GitLab version 14.0 and it’s present in 14.0.0 - 14.10.5, 15.0.0 - 15.0.4, and 15.1.0. If it was affecting GitLab versions 13.x or earlier, it would be explicitly noted in the release post.

For example, CVE-2022-1983: IP allow-list bypass to access Container Registries indicates that this vulnerability was first introduced in version 10.7.

Details on all CVEs affecting GitLab and the versions of GitLab vulnerable to said vulnerabilities can also be found here: Files · master · GitLab.org / cves · GitLab

I personally find that viewing the vulnerabilities there gives me a clear understanding of what versions are impacted.

For example:

One can view this data for a specific vulnerability by clicking CVE link in the release post and then clicking the top link under “references” on the Mitre CVE record page.

2 Likes

Thanks @gitlab-greg / @grove / @iwalker …

I read through the CVE JSON for the critical vulnerability and it certainly reflects Greg’s specific advice

Given Greg speaks for Gitlab Inc. I will accept his statement that the “vulnerability was first introduced in GitLab version 14.0” as a fact and formulate my next actions based on this and other factors

Until Greg wrote those words, @grove’s perspective that the wording and (to me) even the JSON could be interpreted as the result of v13 being old and untested for this vulnerability seemed plausible

Thanks @unique .

GitLab will identify and note all versions of GitLab affected by a particular vulnerability in our Security release posts and CVE repository. You can see an example of this here, where we fixed a vulnerability in 15.1 that’s been around since 10.7.

GitLab “cares” about all versions of GitLab that people are running and our application security team will identify and share details on all the versions affected by a vulnerability - no matter how old the version of GitLab is.

More details on our Security release process can be found here: