Bitbucket Server security advisory 2019-09-18
Bitbucket - Argument Injection - CVE-2019-15000
Summary | CVE-2019-15000 - Argument injection |
|---|---|
Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
Products | Bitbucket Server Bitbucket Data Center |
Affected Bitbucket Server & Bitbucket Data Center Versions |
|
Fixed Bitbucket Server & Bitbucket Data Center Versions |
|
CVE ID(s) | CVE-2019-15000 |
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in Bitbucket Server and Bitbucket Data Center. The following versions of Bitbucket Server and Bitbucket Data Center are affected by this vulnerability:
Before 5.16.10 (the fixed version for 5.16.x )
From 6.0.0 before 6.0.10 (the fixed version for 6.0.x)
From 6.1.0 before 6.1.8 (the fixed version for 6.1.x)
From 6.2.0 before 6.2.6 (the fixed version for 6.2.x)
From 6.3.0 before 6.3.5 (the fixed version for 6.3.x)
From 6.4.0 before 6.4.3 (the fixed version for 6.4.x)
And from 6.5.0 before 6.5.2 (the fixed version for 6.5.x)
Customers who have upgraded Bitbucket to version 5.16.10, 6.0.10, 6.1.8, 6.2.6, 6.3.5, 6.4.3, 6.5.2, 6.6.0, 6.6.1 or higher are not affected.
Customers who have downloaded and installed a Bitbucket version
less than 5.16.10 (the fixed version for 5.16.x)
>= 6.0.0 less than 6.0.10 (the fixed version for 6.0.x)
>= 6.1.0 less than 6.1.8 (the fixed version for 6.1.x)
>= 6.2.0 less than 6.2.6 (the fixed version for 6.2.x)
>= 6.3.0 less than 6.3.5 (the fixed version for 6.3.x)
>= 6.4.0 less than 6.4.3 (the fixed version for 6.4.x)
>= 6.5.0 less than 6.5.2 (the fixed version for 6.5.x)
Please upgrade your Bitbucket Server & Bitbucket Data Center installations immediately to fix this vulnerability.
Argument Injection
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.
All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability.
This issue can be tracked here: https://jira.atlassian.com/browse/BSERV-11947
Acknowledgements
We would like to acknowledge William Bowling for finding this vulnerability.
Fix
In order to address this issue we have applied fixes to the following released versions of Bitbucket Server & Data Center:
Version 6.6.1 can be downloaded from here.
Version 6.6.0 can be downloaded from here.
Version 6.5.2 can be downloaded from here.
Version 6.4.3 can be downloaded from here.
Version 6.3.5 can be downloaded from here.
Version 6.2.6 can be downloaded from here.
Version 6.1.8 can be downloaded from here.
Version 6.0.10 can be downloaded from here.
Version 5.16.10 can be downloaded from here.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the release notes . You can download the latest version of Bitbucket Server & Bitbucket Data Center from the download center.
Upgrade Bitbucket Server & Bitbucket Data Center to version 6.6.0 or higher.
If you can't upgrade to the latest version:
If you have version… | …then upgrade to any of these versions |
|---|---|
1.x 2.x 3.x 4.x 5.x | 5.16.10 6.0.10 6.1.8 6.2.6 6.3.5 6.4.3 6.5.2 |
6.0.x | 6.0.10 6.1.8 6.2.6 6.3.5 6.4.3 6.5.2 |
6.1.x | 6.1.8 6.2.6 6.3.5 6.4.3 6.5.2 |
6.2.x | 6.2.6 6.3.5 6.4.3 6.5.2 |
6.3.x | 6.3.5 6.4.3 6.5.2 |
6.4.x | 6.4.3 6.5.2 |
6.5.x | 6.5.2 |
Mitigation
To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.
Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.
This hotfix covers:
Standard Bitbucket functionality and features
Bitbucket Server and Data Center versions 4.0.0 and later
Bitbucket Server and Data Center instances
To install the hotfix:
This hotfix is a zero down time installation - No restart is required after installing the hotfix.
Login to Bitbucket with your administrator account
Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
Select “Upload App” and provide the URL:
https://jira.atlassian.com/secure/attachment/376655/bitbucket-bserv-11896-hotfix-1.0.0.jarClick “Upload” and wait for the hotfix to install.
If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from https://jira.atlassian.com/browse/BSERV-11947. You are then able to upload the Jar file using the same steps above.
After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |