We’re sharing details on a vulnerability found with the Axosoft GitKraken software. Axosoft found a defect in the key gen package used by GitKraken versions 7.6.0 to 8.0.0 that could generate weak or duplicate SSH keys. This could enable an attacker to gain unauthorized access to an account or repositories on GitLab.com or a self-managed instance.
Based on our investigations to date, there is no indication that GitLab.com or any projects on GitLab.com that use the GitKraken tool have been impacted by this vulnerability.
Who is affected?
This vulnerability affects GitKraken users who created SSH keys using GitKraken releases from May 12, 2021 (7.6.0) to the week of September 27, 2021 (8.0.0).
GitKraken 8.0.1, released on September 28, 2021, fixes the bug.
Action we have taken
- We have emailed users with affected keys earlier today, October 11, 2021.
- For GitLab.com customers, we have already blocked known weak keys.
If affected, action you need to take
If you used a version of GitKraken prior to 8.0.1 to generate SSH keys, we highly recommend that you take the following actions:
Self-managed customers:
-
Revoke the SSH keys immediately. For additional instructions, see: https://docs.gitlab.com/ee/administration/credentials_inventory.html#delete-a-users-ssh-key
-
Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/
-
Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab
GitLab.com customers:
-
Update GitKraken to the latest version: https://support.gitkraken.com/release-notes/current/
-
Generate new SSH keys: https://support.gitkraken.com/integrations/gitlab/#generating-an-ssh-key-for-gitlab
More information can be found in Axosoft’s disclosure: https://www.gitkraken.com/blog/weak-ssh-key-fix
and in CVE-2021-41117.
For questions or concerns regarding GitKraken or its use with GitLab, please contact Axosoft ([email protected]). For questions concerning your GitLab account, please contact our Support department.