ALERT: Update GitLab to address Workhorse vulnerability

This vulnerability in GitLab allows for remote command execution (RCE) and is being actively exploited by threat actors. A vendor-supplied update to address this vulnerability was made available several months ago, and must be applied immediately.

GitLab Community Edition (CE) or Enterprise Edition (EE) in affected versions does not properly validate image files passed to a file parser which can result in RCE. Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file.

This vulnerability affects the following versions of GitLab:

• 11.9.x-13.8.7
• 13.9.0-13.9.5
• 13.10.0-13.10.2

There are three action items required for this vulnerability:

• Update systems to a non-affected version immediately.
• Check systems that were running an affected version of GitLab for possible compromise and contact security@umich.edu if you believe that systems may have been compromised. When checking systems, make sure to check for:
  • Check for unexpected listening network services
  • Check for unexpected GitLab user accounts and admin accounts (especially those with @gmail.com addresses)
  • Check for unexpected processes or services
  • Check for unexpected network connections to non-UM hosts
• Ensure that CrowdStrike Falcon is running on your university systems. If you need assistance installing or checking CS Falcon, contact your unit's Falcon admin or Security Unit Liaison (SUL).

There has been recent active exploitation of vulnerable GitLab instances.

GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags. The ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file. The result is that arbitrary code inserted in certain files can be executed on the affected system. 

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

In general, the best protection for your systems is to keep your software and apps up-to-date and to be sure CrowdStrike Falcon is installed on all university systems in your unit.

Please contact ITS Information Assurance through the ITS Service Center.

• CVE-2021-22205, The MITRE Corporation, 4/23/21
• CVE-2021-22205 Detail, National Vulnerability Database, 4/23/21
• RCE when removing metadata with ExifTool, GitLab, 4/7/21
• CVE-2021-2205.json, GitLab, 4/7/21