By acting quickly when an update was available, Gitlab was updated an hour later and immediately available again.
See the messages below for more information. If you have any questions, we at GX Customer Services will be happy to help. We can be reached via the following channels:
- Submit a ticket through the service portal: https://service.gxsoftware.com/hc/nl/requests/new
- Or send an email to GX.CustomerServices@gxsoftware.com
- For urgent matters (or just a chat) we can always be reached by phone during office hours: 024-3515130
This morning, we received word that vulnerabilities had been found in the GitLab Community Edition and the Gitlab Enterprise Edition. Malicious persons have the possibility to perform attacks that result in the following categories of damage:
- Cross-Site Scripting (XSS)
- Denial-of-Service (DoS)
- Manipulation of data
- Authentication circumvention
- Security measure circumvention
- (Remote) code execution (User rights)
- Access to sensitive data
- Access to system data
For more information, see: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0559
Update September 1
The vulnerability that GitLab rates as "Critical" allows an authenticated malicious party (remotely) to execute arbitrary code on the underlying system with the application's privileges using the "Import from GitHub" API endpoint.
We are currently investigating the impact and solutions.
We will update https://gitlab-projects.gxsoftware.com/ between 12:00 and 12:30 today. We will update to the latest version. We expect https://gitlab-projects.gxsoftware.com/ to be unavailable for approximately 5 minutes. Please save documents if you are working in them at this time.
Update is now underway.
The update of https://gitlab-projects.gxsoftware.com/ has been done and we are now using the latest -secure- version 15.3.2. Issue solved.