GitHub Rotates Credentials and Releases Critical Security Patch for Enterprise Server
GitHub revealed that it has rotated several critical credentials on GitHub.com in response to a vulnerability reported through its Bug Bounty program in late December 2023.
The vulnerability allowed an attacker to access credentials within a GitHub.com production container. Upon discovery, GitHub immediately fixed the vulnerability on the same day and proceeded to rotate any potentially exposed credentials as a precautionary measure.
GitHub stresses that they have high confidence this vulnerability was never found or exploited prior to being responsibly reported through their Bug Bounty program. However, rotating credentials follow their procedures in cases where credentials may have been exposed to third parties.
The credential rotations caused some temporary service disruptions on GitHub.com between December 27 and 29 as credentials were changed across GitHub's production systems. GitHub says they have improved their procedures to reduce the likelihood of downtime during future credential rotations.
Affected Credentials
The rotated credentials that may require action by some GitHub users are:
- GitHub commit signing key: Used for cryptographically signing commits created on GitHub.com. Users verifying signed GitHub commits outside of GitHub.com will need to import the new public key.
- Customer encryption keys for Actions, Codespaces, and Dependabot: Allow users to encrypt secrets sent to GitHub. Users with hardcoded or cached old keys may need to pull updated public keys to avoid errors.
GitHub recommends developers regularly pull the latest public keys via API rather than hardcoding keys to ensure seamless key rotations in the future.
Critical GHES Security Patch
In addition to rotating credentials on GitHub.com, GitHub has also released GitHub Enterprise Server (GHES) version 3.11.3 to address two high severity security vulnerabilities:
- CVE-2024-0507: A command injection flaw allowing privilege escalation by editor role Management Console users.
- CVE-2024-0200: An unsafe reflection vulnerability allowing potential remote code execution by authenticated organization owners.
Both vulnerabilities were reported through GitHub's Bug Bounty program.
While the command injection requires access to an editor account in the Management Console, the reflection vulnerability is serious as it could allow organization owners to achieve remote code execution on GHES instances.
GitHub recommends all GHES customers immediately update to version 3.11.3 or later to patch these critical security issues.