The 2.4 series release notes contain important changes in this release series.
A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.
The affected supported versions are:
Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.
A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.
The affected supported versions are:
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:
Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.
Destroy the existing SAML sessions.
$ echo SAML::Session.destroy_all | ghe-console-github
Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
If possible, we also recommend restricting Management Console access to your site administrators.
These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.
Please contact GitHub Enterprise Support if you have any questions.
GitHub Enterprise 2.4 will be deprecated as of February 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team