Bitbucket Server security advisory 2017-01-24

Bitbucket Server (formerly Stash)- Read-Only Anonymous Admin Access

SummaryAn anonymous user can gain read-only access to some administrative pages.
Release Date

ProductBitbucket Server (formerly Stash)
Affected Versions
  • 2.4.2 <= version <  4.8.0

 

Summary of Vulnerability

An anonymous user can gain read-only access to some administrative pages by crafting a malicious GET request. This vulnerability is caused by an issue in Spring Security / MVC.

This advisory discloses a high severity security vulnerability which was introduced in version 2.4.2 of Bitbucket Server (formerly Stash). Versions of Bitbucket Server (formerly Stash) starting with 2.4.2 before 4.8.x are affected by this vulnerability. 

 

Customers who have upgraded Bitbucket Server (formerly Stash) to version 4.8.0 or higher are not affected.

Customers who are running Bitbucket Server (formerly Stash) version >= 2.4.2 and less than 4.8.0

 

Please upgrade your Bitbucket Server (formerly Stash) installations immediately to fix this vulnerability.


Bitbucket Server (formerly Stash) Read-Only Anonymous Admin Access

Severity

Atlassian rates the severity level of this vulnerability as high, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

 

Description

An anonymous user can gain read-only access to some administrative pages by crafting a malicious GET request. This vulnerability is caused by an issue in Spring Security / MVC (CVE-2016-5007).

All versions of Bitbucket Server (formerly Stash) up to and including 4.7.2 are affected by this vulnerability. This issue can be tracked here:  BSERV-9469 - Getting issue details... STATUS


What You Need to Do

Upgrade (recommended)

Atlassian recommend that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server (formerly Stash) , see the release notes. You can download the latest version of Bitbucket Server (formerly Stash) from the Atlassian website.

 

Upgrade Bitbucket Server (formerly Stash) to version 4.8.0 or higher.

If you are running Bitbucket Server (formerly Stash) 4.7.2 or lower and cannot upgrade to 4.8.0 or higher then apply the workaround described below.

 

Workaround

The best solution for fixing this vulnerability is to update to a fixed version. However if this is not possible, the below fix in the Spring MVC configuration is an accepted workaround to fix the vulnerability.  This vulnerability was originally detected in Spring Security (CVE-2016-5007).

A vulnerable configuration looks like this:

<!-- JSR-303 (bean validations) support will be detected on classpath and enabled automatically -->
	<mvc:annotation-driven validator="validator">
        <mvc:message-converters>
            <bean class="org.springframework.http.converter.BufferedImageHttpMessageConverter"/>
        </mvc:message-converters>
        </mvc:path-matching>
    </mvc:annotation-driven>

For customers running Bitbucket Server (any version >= 4.0), this can be found in the following file:

<INSTALL_DIRECTORY>/atlassian-bitbucket/WEB-INF/classes/stash-mvc.xml

For customers running Stash (any version <= 3.11.6), this can be found in the following file:

<INSTALL_DIRECTORY>/atlassian-stash/WEB-INF/classes/stash-mvc.xml


To apply the workaround:

  1. Shutdown Bitbucket Server (formerly Stash)
  2. Open the corresponding file (see above) with your editor of choice
  3. Remove the vulnerable code, and replace it with the code below:
<!-- JSR-303 (bean validations) support will be detected on classpath and enabled automatically -->
    <mvc:annotation-driven validator="validator">
        <mvc:message-converters>
            <bean class="org.springframework.http.converter.BufferedImageHttpMessageConverter"/>
        </mvc:message-converters>
        <mvc:path-matching suffix-pattern="false"  path-matcher="pathMatcher"  />
    </mvc:annotation-driven>
    <bean id="pathMatcher" class="org.springframework.util.AntPathMatcher">
	    <property name="trimTokens" value="false" />
    </bean>


Note: If you are running Bitbucket Server 4.8.x using your own Tomcat installation that is below version 8.0.36 then please apply the fix above. Please note we only support running Bitbucket Server with the bundled Tomcat version.


Support

If you have questions or concerns, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Jan 25, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.