The 2.8 series release notes contain important changes in this release series.
SAML authentication bypass with XML signature wrapping in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.
The affected supported versions are:
- 2.8.0 - 2.8.6
- 2.7.0 - 2.7.10
- 2.6.0 - 2.6.15
- 2.5.0 - 2.5.20
- 2.4.0 - 2.4.22
Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.
Remote code execution with server side request forgery in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.
The affected supported versions are:
- 2.8.0 - 2.8.6
- 2.7.0 - 2.7.10
- 2.6.0 - 2.6.15
- 2.5.0 - 2.5.20
- 2.4.0 - 2.4.22
Remote code execution in GitHub Enterprise Management Console
A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.8.0 - 2.8.6.
Next steps
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:
-
Put your GitHub Enterprise environment in Maintenance Mode.
-
SSH to your primary GitHub Enterprise appliance.
-
Destroy the existing SAML sessions.
$ echo SAML::Session.destroy_all | ghe-console -y
-
Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
If possible, we also recommend restricting Management Console access to your site administrators.
These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.
Please contact GitHub Enterprise Support if you have any questions.
Security Fixes
- CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
- CRITICAL: There was a remote code execution vulnerability via server side request forgery.
- CRITICAL: There was a remote code execution vulnerability through the Management Console.
- HIGH: With built-in authentication, suspended users could log in.
- Packages have been updated to the latest security versions.
Bug Fixes
- For Internet Explorer 11 users, the Write and Preview tabs in the comment window were switched.
- In a clustering environment, services would not automatically start after reboot.
- In a clustering environment,
ghe-migrator failed to import when running on node with the git-server role.
- The
/stafftools notification could incorrectly link to a deleted user's page.
- The OAuth application logo was incorrectly displayed when private mode was enabled.
- Collaborators with access via the default organization permissions were not listed in
/repos/:owner/:repo/collaborators.
- LDAP Sync Totals graph was incorrectly counting runs instead of users and teams synced.
- @mentions would not work for single character organization or team names.
Upcoming deprecation of GitHub Enterprise 2.5
GitHub Enterprise 2.5 will be deprecated as of March 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Known Issues
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- Enqueued background jobs are sometimes not purged when a repository is deleted.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- GitHub Enterprise clustering can not be configured without https.
- Attempting to convert a user to an organization fails with an internal server error.
- Graphs in the Management Console monitoring page are incorrectly sorted.
- The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
- Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
- An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)
- collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)
- After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
Thanks!
The GitHub Team