Fixed
Status Update
Comments
ek...@google.com <ek...@google.com> #3
What are the remaining steps before we can announce and release this?
Is this waiting on somebody verifying the changes athttps://gerrit-review.googlesource.com/q/hashtag :"jgitupgradedec2018"?
Is this waiting on somebody verifying the changes at
lu...@gmail.com <lu...@gmail.com> #4
[Empty comment from Monorail migration]
th...@yahoo.com <th...@yahoo.com> #5
[Empty comment from Monorail migration]
Description
Confidentiality Impact (High. Providing the full list of refs to any user that has access to the repository could disclose sensitive and confidential information to unauthorized users)
Integrity Impact: None.
Availability Impact: None.
Access Complexity: Low. (It is enough to have the ability to access one repository to have access to all refs)
Authentication: Single system. (The vulnerability requires an attacker to be registered and have access into the system using the Git protocol)
Gained Access: None.
Description:
The Git protocol v2 is flagged as experimental and not available by default in Gerrit v2.16 and not implemented in earlier versions. However, if explicitly enabled in the gerrit.config, allows any user that has access to a project to list and fetch any refs associated to it, regardless of its actual access permissions.
Gerrit ACLs are enforced using the JGit's AdvertiseRefsHook which calls RefFilter. The AdvertiseRefsHook is usually set by UploadPack.setAdvertiseRefsHook but, if Gerrit has the protocol v2 enabled in the gerrit.config and the client is leveraging the git protocol v2 feature, the hook is not invoked.
As a result of these Gerrit permissions defined in the ACLs are entirely ignored, and every user can see the names and associated SHA1s of all refs from a git client using 'git fetch' and 'git ls-remote'.
Remediation:
On Gerrit v2.16 and v2.16.1, disable any reference to the Git protocol v2, if configured enabled in the gerrit.config.
Example:
[receive]
enableProtocolV2 = false
Upgrade to v2.16.2 whenever possible, where the Git protocol v2 is always disabled.