CVE-2022-3331 An issue was found in GitLab EE versions before 15.2.4, 15.3.2, and 14.5 before 15.1.6.

An attacker may leverage the remote code execution vulnerability to obtain access to the affected system and may then use the access to install arbitrary code on the affected system. This may lead to the takeover of the affected system and may be exploited to cause denial of service, exfiltration of data, installation of malware, etc.

GitLab Zentao is an enterprise-ready open source project and as such, Zentao Enterprise users are recommended to upgrade to the latest version.
If you are using GitLab EE on a cloud hosted system such as GCP, or on a shared hosting service such as Arvixe or BlueHost, upgrading your GitLab EE may not be as easy as flipping the switch. You may need to upgrade your entire infrastructure, or at least your Virtual Machine. Please contact your hosting provider and request the upgrade.

Upgrading to GitLab Zentao 2.0

After installing the upgrade, there are a few things you'll need to do before upgrading your GitLab EE instance.
- First, create a backup of your GitLab data directory in case anything goes wrong during the upgrade.
- Second, make sure that you have enough disk space on your system for the new storage size.
- Third, if you're using GitLab EE with LDAP authentication, make sure that you've removed any LDAP users or groups as these will be removed by the upgrade process.
- Fourth, install and configure GitLab 2.0: https://docs.gitlab.com/ee/upgrade/install/#using-gitlab2#installing-gitlab2-on-a-new-machine
Your host must support Docker 1.7 or higher to run version 2 of GitLab and it is recommended that they also run version 2 of Docker because it is incompatible with older versions. If you can't upgrade your hosting provider to meet all requirements, please contact them and ask them to provide an installation guide for GitLab 2.0 as well as supporting Docker 1.7 or higher so you can use this upgrade instead of migrating to another platform after upgrading to 1.7 or higher (explained below).

Check your version

First and foremost, it is important to check the version of GitLab EE you are using.
If you are using GitLab CE, you can quickly do this by checking your version in the administration console.
If you are using GitLab EE on a cloud hosted system such as GCP, or on a shared hosting service such as Arvixe or BlueHost, please contact your hosting provider for assistance with upgrading GitLab EE.

Check your GitLab version

As soon as you find out your GitLab version is outdated, you should upgrade. While there are more recent versions of GitLab EE available, we recommend upgrading to the latest version to avoid future compatibility issues. To check the current version of GitLab EE that is running on your system, run the following command in a terminal window:
$ gitlab-ee --version
You will see something similar to the following output:
GitLab EE Version 5.0.x
If your version is older than 5.0, please upgrade to a newer compatible version of GitLab EE.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/20/2022 14:30:00 UTC

References