Due to a configuration error, the PostgreSQL server that is bundled into omnibus-gitlab trusts all connections originating from the server omnibus-gitlab is running on. This has been rectified in omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition). We advise all users of omnibus-gitlab to update to the latest release.

Affected versions: all versions of omnibus-gitlab up to and including omnibus-gitlab 6.9.2.omnibus.1 (GitLab Community Edition) and 6.9.4-ee.omnibus (GitLab Enterprise Edition).

Not affected: Source and cookbook installations of GitLab (e.g. not using .deb or .rpm packages). Omnibus-gitlab installations which use an external DBMS are also not affected.

Fixed versions: omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition).

Releases

You can download the latest version of omnibus-gitlab for GitLab Community Edition or omnibus-gitlab for GitLab Enterprise Edition and follow the update instructions.

Impact

An attacker who can execute code on the server omnibus-gitlab runs on can get full superuser access to the bundled Postgres database which holds all GitLab metadata.

To see if your omnibus-gitlab installation is affected you can run the following command on your GitLab server.

sudo -u root /opt/gitlab/embedded/bin/psql -U gitlab-psql -d template1 -c '\echo connected to an insecure Postgres instance'

If the command echoes connected to an insecure Postgres instance your omnibus-gitlab installation is affected by this issue. If you receive an error message psql: FATAL: Peer authentication failed for user "gitlab-psql", your bundled Postgres service is secured.

Please contact us at support.gitlab.comif you have any questions.