2018-03-06-reconfigure-inbound-email-for-gitlab-notification.html.md 1.82 KB
Newer Older
Jim's avatar
Jim committed
1
---
Rebecca Dodd's avatar
Rebecca Dodd committed
2
title: "GitLab inbound email issue notification"
Jim's avatar
Jim committed
3 4 5
date: 2018-03-06
author: Jim Thavisouk
author_gitlab: Thavisouk
Rebecca Dodd's avatar
Rebecca Dodd committed
6
author_twitter: gitlab
Rebecca Dodd's avatar
Rebecca Dodd committed
7
categories: releases
Jim's avatar
Jim committed
8
tags: security, gitlab
Rebecca Dodd's avatar
Rebecca Dodd committed
9 10
description: "We've identified a potential risk impacting those using our email an issue to project, Reply by Email, and Service Desk features."
ee_cta: false
Rebecca Dodd's avatar
Rebecca Dodd committed
11
tags: security, inside GitLab
Jim's avatar
Jim committed
12 13
---

Rebecca Dodd's avatar
Rebecca Dodd committed
14
GitLab.com provides users the capability to [create new issues via email](https://docs.gitlab.com/ee/user/project/issues/create_new_issue.html#new-issue-via-email), which can also be managed by [Service Desk](https://docs.gitlab.com/ee/user/project/service_desk.html). This is accomplished through a dynamically generated email address that is currently being managed with GitLab's domain name (@gitlab.com). It has come to our attention that an attacker can abuse this process to perform actions outside the intended scope with the @gitlab.com domain. This issue impacts users who are using email an issue to project, [Reply by Email](https://docs.gitlab.com/ee/administration/reply_by_email.html), and Service Desk.
Jim's avatar
Jim committed
15

Rebecca Dodd's avatar
Rebecca Dodd committed
16
<!-- more -->
Jim's avatar
Jim committed
17

Rebecca Dodd's avatar
Rebecca Dodd committed
18
## Customer remediation steps
Jim's avatar
Jim committed
19

20
Our users should check to see if they are using the create new issues via email feature.
Jim's avatar
Jim committed
21

22
If aliases were used, update those aliases from `@gitlab.com` to `@incoming.gitlab.com`.
Jim's avatar
Jim committed
23

Rebecca Dodd's avatar
Rebecca Dodd committed
24
If domain whitelisting was used, please update those domains from `@gitlab.com` to `@incoming.gitlab.com`.
25 26

These changes can be made _immediately_.
Jim's avatar
Jim committed
27

Rebecca Dodd's avatar
Rebecca Dodd committed
28
## GitLab remediation strategy
Jim's avatar
Jim committed
29

Rebecca Dodd's avatar
Rebecca Dodd committed
30
We will update the addresses from `@gitlab.com` to `@incoming.gitlab.com`.
Jim's avatar
Jim committed
31

32
We will reach out to users directly that are still using the old address to make sure the new addresses are being used instead, by **April 17, 2018**.
Jim's avatar
Jim committed
33

34
All addresses with the @gitlab.com domain will be disabled **April 31, 2018**. Incoming email to the address will be rejected.