Giltab Vulnerability to Spring4Shell

Hello,
I was wondering is Gitlab could be affected by the vulnerability known as Spring4Shell.
This vulnerability targets the Spring Core Java framework.
Link:

Hi @spg

AFAIK Gitlab itself is mostly Ruby.

According to GitLab.org / GitLab · GitLab it is 66% Ruby, 20% JavaScript, 7% Vue, 2.5% plpgsql and 2% Haml :slight_smile:

1 Like

Would like to see proactive response from anyone on the Gitlab team regarding this, please. Pls don’t make us wait until Monday.

From this link: Spring patches leaked Spring4Shell zero-day RCE vulnerability

since Gitlab doesn’t use JDK and since it also doesn’t use Apache Tomcat or Spring Framework, then there is no problem as far as I can see. Gitlab is Ruby-based as was previously mentioned.

Upon becoming aware of the vulnerabilities, we immediately mobilized our Security and Engineering teams to determine usage of this software component and its potential impact within our product, across our company, and within our third-party software landscapes.

At this time, no malicious activity, exploitation, or indicators of compromise have been identified on GitLab.com. Further, our product packaged Java components for both GitLab.com and self-managed instances do not use vulnerable Spring components, and thus are not vulnerable.

Source: