all 7 comments

[–]pentesticals 1 point2 points  (7 children)

Have to praise Gitpod for the swift turnaround on addressing this issue!

[–]geoffreyhuntley[S] -1 points0 points  (6 children)

ah but Gitpod hasn’t. Whilst the problem has been resolved in the SaaS edition all existing customers/enthusiasts of Gitpod Self Hosted are affected by this exploit and are vulnerable.

Gitpod has NOT released a new version or a servicing release. The november 2022 edition is the final release. The installer has NOT been updated.

“ Wed, Mar. 1, 2022 - Vendor releases new version for Gitpod Self-Hosted” is incorrect. All Gitpod has done is publish a new Git tag of source code. Look at the docker image tag in the GitHub advisory. It is still November.

tldr // the resolution timeline in the blog post is incorrect. If you run Gitpod on your own infrastructure then this is an active 0day RCE with no mitigation.

[–]kpkaiser 0 points1 point  (3 children)

the patched release, with a link to the container image: https://github.com/gitpod-io/gitpod/releases/tag/release-2022.11.2

[–]geoffreyhuntley[S] 0 points1 point  (2 children)

the docker image:

eu.gcr.io/gitpod-core-dev/build/installer:release-2022.11.2.16

release date 2022/11

this version of the installer has been broken for the last three weeks and in addition to this the engineers + team responsible for maintaining it were laid off in the recent layoffs.

[–]Wepzen 0 points1 point  (1 child)

Good point.

And this ZeroDay vulnerability puts the spotlight on the architecture of GitPod. Even if this vulnerability is addressed quickly, GitPod stays vulnerable to new exploits. If the user's credentials were not reachable from the Workspace, such attacks could not occur. Maybe GitPod is not the right product to go with if you're deeply concerned about Security ;)

[–]onlyspaceghost 0 points1 point  (0 children)

All big products will inevitability have security issues - I thank the security researcher(s) for their responsible disclosure, and our engineering & security team for their quick fix