Security Log

We deployed a security update to Gitpod. This prevents an unsecured Google API endpoint from being available which can lead to information disclosure between workspaces.

If you are running a self-hosted installation of Gitpod, this is unlikely to affect you - we recommend updating to version 2022.01 nevertheless.

Background

We have been notified about this issue on February 20th which has been reviewed, validated and remediated the same day. Furthermore we conducted a root-cause analysis to identify and remediate the underlying issues of this exploit.

Lessons we learned

• We are now running active checks that will terminate the session when a workspace is connecting to the metadata api #8334
• The issue will be subject to penetration testing procedures
• We are adding automated tests which ensure the aforementioned checks remain in effect

Kudos to Alan and the Team

We would like to thank Alan Cao for notifying us about this issue including a comprehensive write-up that allowed an easy revalidation. Also, the Gitpod teams understood and remediated the issue swiftly - the timely response is key.