Any user running a vulnerable version of GitLab should upgrade to a patched version as soon as possible, preferably the latest version of GitLab.
If upgrading immediately is not an option:
Mitigations & Workarounds
Hotpatch
Anyone running a vulnerable, public-facing GitLab self-managed instance unable to immediately upgrade to a patched version can apply a patch as a temporary hotfix. Applying this patch will change the relevant code to prevent further exploitation of the vulnerability.
The commands to do on a GitLab Omnibus Linux installation are:
sudo su
cd ~
curl -JLO https://gitlab.com/gitlab-org/build/CNG/-/raw/master/gitlab-ruby/patches/allow-only-tiff-jpeg-exif-strip.patch
cd /opt/gitlab/embedded/lib/exiftool-perl
patch -p2 < ~/allow-only-tiff-jpeg-exif-strip.patch
If you’re running a vulnerable version, can’t upgrade immediately, and you can’t apply the hotpatch for whatever reason, you can:
Replace exiftool script with cat -
This workaround will prevent all stripping of exif data from uploaded images.
Replace /opt/gitlab/embedded/bin/exiftool with a file containing this content:
#!/bin/bash
cat -
If needed, chmod a+x exiftool to ensure it’s executable.
Important
These workarounds are applicable only on Rails / Workhorse nodes (anything with HTTP GitLab components exposed).
To remain patched against exploitation of this vulnerability while running vulnerable versions of GitLab SM accessible via the public internet:
- You MUST perform the workaround every time GitLab is updated or reinstalled, until reaching version 13.10.3+ (for Linux package or source installation)
- You must perform the workaround every time you update or deploy a fresh container. (for Docker / Kubernetes deployments)