Blog Tags: 

CVE-2016-4340: Privilege escalation via "impersonate" feature in existing v14.0/1 GitLab deployments

It has come to our attention that existing deployments of TurnKey GitLab (versions 14.0 & 14.1) are vulnerable to CVE-2016-4340, a critical security issue that allows authenticated users to escalate their privileges to that of an Administrator.

This issue has been fixed with many others by the GitLab project, as detailed in the 2016-05-02 GitLab Security Advisory.

Due to the seriousness of the issue, new builds of TurnKey GitLab have been published today so new deployments are not vulnerable.

Unfortunately pre-existing deployments still need to be updated manually.

Isn't the GitLab security update installed automatically?

No. To prevent breaking existing deployments TurnKey ONLY auto-installs security updates from the official Debian security repository. GitLab is not officially supported in Debian so it doesn't get automatic updates.

For more details see the "Limitations" section on the Automatic Security Updates page.

What's the recommended way to handle this?

  1. Back up your GitLab deployment (e.g., with TKLBAM).

    Updates to GitLab require user interaction, supervision and testing which is why GitLab IS NOT configured to update itself automatically in the first place.

    Everything may work perfectly afterwards, or not. Be prepared.

  2. Upgrade GitLab manually by following instructions on the dedicated page.

  3. Unfortunately GitLab do not provide a Security Advisory mailing list (or similar). However their newsletter is fairly low traffic (sent twice per month) and always includes Security Advisories, so it is recommended that you subscribe to the GitLab newsletter.

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Post new comment