CVE-2024-7610 - GitLab CE/EE Denial of Service (DoS) Vulnerability via Elasticsearch Result Parsing

---

Hello readers,

There has been an important discovery regarding GitLab, a widely-used platform for collaborating on software development projects. A critical Denial of Service (DoS) vulnerability (CVE-2024-7610) has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), impacting all versions starting from 15.9 up to 17..5, 17.1 before 17.1.4, and 17.2 before 17.2.2.

This vulnerability permits an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. You can find the detailed information on the original references mentioned below:

1. GitLab Security Advisory
2. NIST CVE Information

But fear not! This blog post will give you exclusive insight into the vulnerability, a code snippet to illustrate how it happens, and advice on how to effectively mitigate the risk.

So, how does the vulnerability work?

To understand this, we have to go into the parsing mechanism. When GitLab receives search results from Elasticsearch, it parses these search results to generate data that can be displayed or processed by the software. Unfortunately, due to a failure in its input validation, GitLab's parser is susceptible to a specific type of regular expression, which could cause a "catastrophic backtracking" situation.

"Catastrophic backtracking" describes a situation where a regular expression ends up taking an excessive amount of time to process. This is a result of the algorithm used to evaluate regular expressions, which becomes disproportionately slower when dealing with particularly complex expressions. In the case of this vulnerability, complex Elasticsearch results can generate a regex that causes the parser to slow to a crawl, eventually leading to a denial of service.

Let's take a look at a simplified code snippet that demonstrates this vulnerability

import re

def vulnerable_search_parser(input):
    pattern = r'(?:.*?[;"regex_to_trigger_backtracking"].*)+'
    matches = re.findall(pattern, input)

    return matches

search_results = 'A malicious Elasticsearch response that triggers backtracking'
vulnerable_search_parser(search_results)

In the code snippet, the vulnerable_search_parser function simulates what happens in GitLab's parser when it's processing a search result. The malicious response from Elasticsearch is passed through, creating a scenario where catastrophic backtracking occurs, slowing down the entire application to an extent that users cannot access the service, making it a Denial of Service vulnerability.

How do you remedy the vulnerability?

Given that the vulnerability affects different GitLab versions, there are three patch versions you need to upgrade to immediately:

If your GitLab version is 17.2.x, upgrade to version 17.2.2.

It is advised to prioritize updating your GitLab instances to the relevant patch versions as soon as possible to mitigate this vulnerability, ensuring the safety and uninterrupted operation of your software development pipelines.

In conclusion, the CVE-2024-7610 vulnerability poses a significant risk to GitLab CE/EE users across various versions. Stay informed and protect your software environment by following the guidelines mentioned in this post and the original references.

Timeline

Published on: 08/08/2024 11:15:13 UTC
Last modified on: 08/08/2024 13:04:18 UTC