CVE-2021-22205: How to determine if a self-managed instance has been impacted

Additionally, please consider subscribing to our security alerts via the Communication Preference Center | GitLab so you are emailed when GitLab publishes a security release.

3 Likes

We at AWS had all our AMIs of GitLab inspected and - if needed - upgraded.

1 Like

Another indicator was shared by @antondollmaier: Presence __$$RECOVERY_README$$__.html files in Git repos, plus POST /uploads/user HTTP/1.0 events in logs. Thank you!

2 Likes

We’ve seen recent reports of unpatched, publicly accessible GitLab instances having Git repository data encrypted by a ransomware attack.

Indicators of compromise associated with this may include:

  • Users unable to clone or push any projects
  • errors when trying to view repositories in the UI
  • suspicious files in the Git repo directories on the server (eg. files ending in .locked or .html)

If you find that data has been encrypted by a ransomware attack, industry-standard best practice is to:

  • follow your organizations’ security incident response and disaster recovery plan
  • restore to last known working backup (one taken before ransomware attack)

To help mitigate the threat of abuse and attacks moving forward: