Response to CVE-2022-1162 using LDAP

DanySahne288 · April 4, 2022, 5:19pm

Regarding this article: GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7 | GitLab

I’ve upgraded from 14.8.2 to 14.9.2. The script at the end of the article lists a few users for me. That means all these users are affected? Since they are all LDAP users, do these users need to reset their LDAP password? What does the reset described here Reset a user's password | GitLab do for LDAP users?
Any help would be appreciated, I’m new to GitLab and rather confused what to do now.

iwalker · April 4, 2022, 6:17pm

Since you are using LDAP, it should be changed from the LDAP side, and not using the method from the gitlab docs reset a users password page. So either force the reset within LDAP or ask those users to change their passwords themselves.

DanySahne288 · April 4, 2022, 9:28pm

I’ve come across this Generated passwords for users created through integrated authentication | GitLab. So I’m assuming that’s the static/hardcoded password and why the passwords should be reset. That’s what I ended up doing.