Consul RCE vulnerability `enable-script-checks`
Summary
GitLab Premium in GitLab customer engaged GitLab Support to disclose the ability to exploit an RCE vulnerability in Consul, using GitLab Omnibus version v15.11.3 with Consul 1.12.5.
In 2019 there was an MR that addressed this by upgrading Consul for Omnibus: !3400 (merged)
This MR addressed the following issue: #4124 (closed)
The customer has indicated that upgrading the Consul version to a patched version is not enough to mitigate the vulnerability. Apparently we still set enable_script_checks
to true
by default in the Omnibus cookbook, and part of the mitigation is changing enable_script_checks
to enable_local_script_checks
.
Steps to reproduce
Mitigation steps
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)