October 11th, 2021

Azure DevOps Response to GitKraken SSH Bug

Gloridel Morales
Senior Technical Program Manager

On September 28, 2021, Azure DevOps was notified by Axosoft of a vulnerability in a dependency of their popular git GUI client – GitKraken. This vulnerability led to the GitKraken client generating insecure SSH keys.

In response to this disclosure, we conducted a security investigation of the reported vulnerability and identified a small set of users across our service with potentially insecure SSH keys generated through affected versions of GitKraken.

We revoked all the affected SSH keys generated through affected versions of GitKraken on 10/11/2021. We will also directly inform those individuals whose SSH keys were revoked within the next 24 hours.

If you do not receive an email notification from Azure DevOps about this issue, we have no evidence you were impacted by this vulnerability. However, as a good security precaution, we recommend that you remove the SSH public keys you added to Azure DevOps and add a new one. For information on how to do this, please see the how-to steps here.

For more information regarding this issue please visit GitKraken’s blogpost regarding the issue here

For questions related to GitKraken, please contact their support team at support@gitkraken.com.

For questions related to Azure DevOps, feel free to reach out to us through the Azure DevOps Developer Community Channel.

Author

Gloridel Morales
Senior Technical Program Manager

Gloridel is a Senior Technical Program Manager on the Azure DevOps team.

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • Steven Cady · Edited

    Is it possible for Project Collection Administrators to revoke SSH keys of others users? We would like to clear SSH keys in our org as a precaution but do not want to rely on the users themselves needing to do this.