Posted on 01-29-2023 12:54 PM
Hi all,
Our Qualys console recently started reporting on Git related vulnerability - CVE-2022-41903
Vulnerable git version detected on our assets: git version 2.37.1 (Apple Git-137.1)
This is the native Git version that comes bundled with the OS. Apple has not yet provided a security update on this one so I'm trying to find a way for doing patching effectively and urgently.
I understand that I can get the latest release (2.39.1) from here: https://git-scm.com/download/mac
However in order to be able to upgrade I would need either Homebrew or MacPorts. The problem here is that none of them seem to be installed to the impacted assets so I would need to deploy one of them first.
I also tried upgrading Git via Git: git clone https://github.com/git/git Unfortunately it's not working.
I'm not really experienced with Git so at this point I'm not sure about the possible best approach to address the vulnerability. I'm also not sure about what was going to happen to the current version of Git upon upgrading. Would the existing version still be available? Asking because this is exactly what happens if I patch .NET Runtime and .Net SDK through JAMF. I just got the new versions deployed along with the old/obsolete/vulnerable version.
Any thoughts are welcome!
Posted on 02-07-2023 03:33 PM
If your endpoints haven't installed Git via Homebrew or MacPorts, and installing the newer version leaves the old version in-place, then the likely suspect is Xcode. Xcode's Command Line Developer Tools contain Git by default, so updating the developer tools will likely resolve the vulnerability, assuming a patched version of the tools has been released.
You can run
softwareupdate --list
to see a list of available updates, and somewhere in there you should be able to see something like
Software Update found the following new or updated software: * Command Line Tools (macOS Ventura version 13.2) for Xcode-14.2 Command Line Tools (macOS Ventura version 13.2) for Xcode (14.2)
If not, then either it's already installed or isn't available yet. If it's available, you should be able to run software update normally through System Preferences to install it.
If Qualys is still picking up hashes of affected executables after updating, or if there's no update available, you also have the option of removing the Command Line Tools entirely. The Apple-documented way of uninstalling them is literally to delete the entire folder that contains them:
/Library/Developer/CommandLineTools
If you're still getting positive scans after that... I'm not sure what that could be. I'd consult the scan report to see exactly what directory it's finding Git in.
Posted on 04-05-2023 03:55 AM
All of the endpoint got Apple Git natively. It's not that they installed homebrew and then installed Git.
Anyway I built a policy to install Homebrew and that worked just fine. Needed to get a script that would make it happen with CyberArk EPM installed - all users are standard and obviously I cannot install homebrew using sudo.
Then I just run brew install git smoothly and got ver. 2.40.0 installed. The problem is that is did not upgrade Apple Git but installed Git into another folder. The command which git helped identifying them different version. So it's not a working solution when one must upgrade Apple Git.
But luckily along with the latest Xcode Command Line Tools upgrade, Apple released a new version of their Git so it's all resolved now.