GitHub Enterprise 2.5.4 March 31, 2016 Series notes · Download

The 2.5 series release notes contain important changes in this release series.

Remote Code Execution in GitHub Enterprise Management Console

An issue was identified that could allow an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.5.0, 2.5.1, 2.5.2, and 2.5.3.

We strongly recommend you upgrade your GitHub Enterprise appliance to GitHub Enterprise 2.5.4 immediately.

This vulnerability was reported to our GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

If you're unable to upgrade immediately, the issue can be mitigated by blocking traffic to port 8080 and 8443 from any untrusted IP addresses. If your GitHub Enterprise appliance is behind a firewall device, you can block inbound requests to port 8443 and 8080 and allow trusted IP addresses. Alternatively, you can do this directly in the appliance,

  1. SSH to your GitHub Enterprise appliancee
  2. Block all traffic to ports 8080 and 8443

    $ sudo ufw insert 1 deny proto tcp from any to any port 8080,8443
    
  3. Allow a trusted IP address to access the Management Console by replacing <IPADDRESS>

    $ sudo ufw insert 1 allow proto tcp from <IPADDRESS> to any port 8080,8443
    

To remove the mitigation on your appliance,

  1. SSH to your GitHub Enterprise appliance
  2. Identify the numbered firewall rule to remove

    $ sudo ufw status numbered | grep '8080,8443/tcp' | grep DENY | head -n1
    
  3. Remove the firewall rule by replacing <NUMBER>

    $ sudo ufw delete <NUMBER>
    
  4. Run steps 2 and 3 until the firewall rules from step 2 are removed.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

Bug Fixes

Changes

Known issues

Thanks!

The GitHub Team