Gitlab CE 17.2.1 OpenSSH Vulnerability in container-based self-hosted installation

knownunknown · July 25, 2024, 10:05am

Dear forum users,

this is my first post in this forum, so I hope, I am posting this in the right place. If not, please let me know.

We run a self-hosted container-based Gitlab CE 17.2.1. with SSH exposed to the internet on port 22. We were alerted by a security scan that the OpenSSH version used in the container is OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022.

This version is affected by CVE-2024-6387, meaning that a potential attacker could gain root-access to the running Gitlab container.

Is Gitlab aware of this? And how should we deal with this?

dnsmichi · July 25, 2024, 1:13pm

knownunknown · July 26, 2024, 6:51am

Thanks for the quick and helpful reply!

So, this means, I should turn on gitlab-sshd to be on the safe side, as the OpenSSH version inside the provided container has not been patched yet. Is that correct?

knownunknown · July 26, 2024, 7:56am

I just realized, according to launchpad.net the OpenSSH version in question was patched because of CVE-2024-6387 in the beginning of July. The vulnerability has been resolved:

https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

Thanks for your help!

Topic		Replies	Views
Docker Hub Public Image Module Vulnerability How to Use GitLab docker	1	325	October 6, 2021
Latest docker images are still vulnerable to regreSSHion General	2	446	July 2, 2024
CVE-2023-6371: Is the 16.7.7 affected? Upgrade docker	3	215	April 10, 2024
Possible measures for vulnerabilities on port 22? Self-managed ssh	0	1052	September 12, 2019
Is Gitlab CE affecting CVE-2022-22963 and CVE-2022-22965? DevSecOps	3	1096	April 8, 2022

Gitlab CE 17.2.1 OpenSSH Vulnerability in container-based self-hosted installation

Related topics