It has been reported that critical vulnerability in both GitLab Community and Enterprise Edition could enable an attacker to steal runner registration tokens. The vulnerability, which affects all versions from 12.10 to 14.6.4, all versions starting from 14.7 to 14.7.3, and all versions starting from 14.8 to 14.8.1, was announced in a security advisory from GitLab. If exploited, an unauthorized user is able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. It has been assigned a CVSS score of 9.6 and has been patched in the latest releases: 14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).
Commercial software often either includes or runs on open source technologies that presents an array of vectors for supply chain attacks. Companies need to invest in building trust into their software and have controls throughout the entire SDLC to monitor not only their source code or binaries, but also proprietary tools (such as GitLab), platforms, and infrastructure to understand how software was built, configured, and deployed. Every company is today not only a software company, but also a security company, hence organizations need to realise supply chain risk is a real business risk that needs a holistic a Software Supply Chain Risk Management (SSCRM) Program to continually monitor, evaluate, and mitigate evolving cybersecurity risks.
The recent disclosure about CVE-2022-0735 by Gitlab is an excellent illustration of the multilayered complexity of the software supply chain. This disclosure highlights the broad reach of the software supply chain, which encompasses not only all the open source and third party components that make up applications, but also the tools and infrastructure that are used in building and deploying the application. If you make an airplane, the raw materials, engines, seats, and rivets are all part of the supply chain, but likewise so are the wrenches, rivet guns, and other tools and mechanisms used in building the airplane.
The Gitlab vulnerability has to do with leakage of authentication tokens that could allow an attacker to observe or hijack a victim’s build automation. Left unpatched, it could have allowed an attacker access to sensitive information or the ability to disrupt the construction and deployment of applications. As always, the first step in securing the software supply chain is awareness. In this case, customers need to be aware of the software components, tooling, and infrastructure that make up their application software supply chains, and take steps to reduce risk at every turn. Tracking vulnerabilities in the supply chain enables organizations to respond quickly by upgrading their deployment of Gitlab. Affected Gitlab users are urged to upgrade as quickly as possible.