January 16, 2024 at 05:23PM
GitHub resolved vulnerabilities enabling attackers to access credentials in production containers by patching CVE-2024-0200. The update applies to GitHub Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. While potential exploitation requires an organization owner role, GitHub rotated exposed credentials and urges swift security update installation. Additionally, a command injection vulnerability (CVE-2024-0507) was also fixed.
Key takeaways from the meeting notes:
1. GitHub patched a vulnerability in December that could allow attackers to access credentials within production containers via environment variables. This was a result of an unsafe reflection vulnerability (CVE-2024-0200) that could lead to remote code execution on unpatched servers.
2. The vulnerability was patched in GitHub Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, and customers are urged to install the security update as soon as possible.
3. The vulnerability required authentication with an organization owner role, and GitHub VP and Deputy Chief Security Officer Jacob DePriest emphasized that the credentials were rotated according to security procedures out of an abundance of caution.
4. GitHub also fixed a second high-severity Enterprise Server command injection vulnerability (CVE-2024-0507) that could allow attackers using a Management Console user account with an editor role to escalate privileges.
5. There have been previous incidents where GitHub had to rotate or revoke exposed or stolen secrets, including rotating its GitHub.com private SSH key and revoking code-signing certificates for its Desktop and Atom applications following security breaches.
6. Customers using GitHub’s commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will have to import the new public keys.
7. GitHub recommends regularly pulling the public keys from the API to ensure the use of current data and seamless adoption of new keys in the future.
These are the key points discussed in the meeting notes regarding the security vulnerabilities and actions taken by GitHub.