Notification of SVN and Git Vulnerability with WANdisco MultiSite Plus and Git Multisite (CVE-2017-9800 & CVE-2017-1000117)
Posted by Greg McMullin on 16 August 2017 01:18 PM
Recently WANdisco received notification of a Critical Vulnerability in the SVN Client (CVE-2017-9800) and Git (CVE-2017-1000117). This could lead to a malicious third party being able to execute code on a git/svn server.
WANdisco recommends the use of SVN v1.8.19, v1.9.7 and Git v2.14.1, v2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4, or v2.13.5 in which the vulnerability is patched.
Users of MSP will need to implement the recommendations listed in the SVN CVE until a patched version of MSP ships. GitMS does not have such a workaround, and as such our core recommendation would be to not run Git clients on your Git server. GitMS is receiving a priority release.
For MSP Users:
WANdisco’s server binaries that ship with SVN MultiSite Plus also contain the SVN client which may be able to execute the ssh command depending on configuration.
To mitigate, there is a method to prevent the ssh tunnelling exploit by editing the subversion config file for each user on the server:
# ssh = $SVN_SSH ssh -q
The entry above is present in this config file, and to prevent the exploit, you can uncomment this line and edit it thus:
ssh = $SVN_SSH ssh -q --
This change should be implemented as a default for any users on the SVN server that has the ability to run ssh commands. To do this you can make use of SVNs global configuration area on each server 
For GitMS Users:
WANdisco’s server binaries that ship with Git MultiSite include the Git client which, unpatched, may be able to execute the ssh command depending on your configuration.
Currently there is no mitigation to the Git defect short of patching the Git client with the fix. WANdisco is currently testing a Git MultiSite release with a patched Git client. The fix should be out shortly.
In general, your administrators should not be using the Git client on the server to do work. If they are doing so, you might ask them to stop until the Git MultiSite patch is installed.
There are still two ways that could be used to trigger the bug by some malicious user doing a push:
Please review your Git usage and be careful to eliminate or harden such usage. By “harden” we mean carefully validate the options used in the Git+SSH hook scripting, or by writing a new hook script to prevent malicious submodule statements from being pushed onto your server.
Please consult WANdisco support if you have any questions.
 http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html#svn.advanced.confarea.layout This link describes Subversion 1.7, but the description is correct for all other versions as well.