Bitbucket Server security advisory 2019-09-18

Bitbucket - Argument Injection - CVE-2019-15000

Summary

CVE-2019-15000 - Argument injection

Advisory Release Date

 10:00 AM PDT (Pacific Time, -7 hours)

Products

Bitbucket Server

Bitbucket Data Center

Affected Bitbucket Server & Bitbucket Data Center Versions

  • version < 5.16.10

  • 6.0.0 <= version < 6.0.10

  • 6.1.0 <= version < 6.1.8

  • 6.2.0 <= version < 6.2.6

  • 6.3.0 <= version < 6.3.5

  • 6.4.0 <= version < 6.4.3

  • 6.5.0 <= version < 6.5.2

Click here to expand...
  • 1.x

  • 2.x

  • 3.x

  • 4.x

  • 5.x before 5.16.10 (the fixed version for 5.16.x)

  • 6.0.x before 6.0.10 (the fixed version for 6.0.x)

  • 6.1.x before 6.1.8 (the fixed version for 6.1.x)

  • 6.2.x before 6.2.6 (the fixed version for 6.2.x)

  • 6.3.x before 6.3.5 (the fixed version for 6.3.x)

  • 6.4.x before 6.4.3 (the fixed version for 6.4.x)

  • 6.5.x before 6.5.2 (the fixed version for 6.5.x)

Fixed Bitbucket Server & Bitbucket Data Center Versions

  • 5.16.10

  • 6.0.10

  • 6.1.8

  • 6.2.6

  • 6.3.5

  • 6.4.3

  • 6.5.2

  • 6.6.0

  • 6.6.1

CVE ID(s)

CVE-2019-15000


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability in Bitbucket Server and Bitbucket Data Center. The following versions of Bitbucket Server and Bitbucket Data Center are affected by this vulnerability:

  • Before 5.16.10 (the fixed version for 5.16.x )

  • From 6.0.0 before 6.0.10 (the fixed version for 6.0.x)

  • From 6.1.0 before 6.1.8 (the fixed version for 6.1.x)

  • From 6.2.0 before 6.2.6 (the fixed version for 6.2.x)

  • From 6.3.0 before 6.3.5 (the fixed version for 6.3.x)

  • From 6.4.0 before 6.4.3 (the fixed version for 6.4.x)

  • And from 6.5.0 before 6.5.2 (the fixed version for 6.5.x)

Customers who have upgraded Bitbucket to version 5.16.10, 6.0.10, 6.1.8, 6.2.6, 6.3.5, 6.4.3, 6.5.2, 6.6.0, 6.6.1 or higher are not affected.

Customers who have downloaded and installed a Bitbucket version

  • less than 5.16.10 (the fixed version for 5.16.x)

  • >= 6.0.0 less than 6.0.10 (the fixed version for 6.0.x)

  • >= 6.1.0 less than 6.1.8 (the fixed version for 6.1.x)

  • >= 6.2.0 less than 6.2.6 (the fixed version for 6.2.x)

  • >= 6.3.0 less than 6.3.5 (the fixed version for 6.3.x)

  • >= 6.4.0 less than 6.4.3 (the fixed version for 6.4.x)

  • >= 6.5.0 less than 6.5.2 (the fixed version for 6.5.x)

Please upgrade your Bitbucket Server & Bitbucket Data Center installations immediately to fix this vulnerability.


Argument Injection

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

This issue can be tracked here: https://jira.atlassian.com/browse/BSERV-11947

Acknowledgements

We would like to acknowledge William Bowling for finding this vulnerability.

Fix

In order to address this issue we have applied fixes to the following released versions of Bitbucket Server & Data Center:

  1. Version 6.6.1 can be downloaded from here.

  2. Version 6.6.0 can be downloaded from here.

  3. Version 6.5.2 can be downloaded from here.

  4. Version 6.4.3 can be downloaded from here.

  5. Version 6.3.5 can be downloaded from here.

  6. Version 6.2.6 can be downloaded from here.

  7. Version 6.1.8 can be downloaded from here.

  8. Version 6.0.10 can be downloaded from here.

  9. Version 5.16.10 can be downloaded from here.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the release notes . You can download the latest version of Bitbucket Server & Bitbucket Data Center from the download center.

Upgrade Bitbucket Server & Bitbucket Data Center to version 6.6.0 or higher.


If you can't upgrade to the latest version:

If you have version…

…then upgrade to any of these versions

1.x

2.x

3.x

4.x

5.x

5.16.10

6.0.10

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.0.x

6.0.10

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.1.x

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.2.x

6.2.6

6.3.5

6.4.3

6.5.2

6.3.x

6.3.5

6.4.3

6.5.2

6.4.x

6.4.3

6.5.2

6.5.x

6.5.2


Mitigation

To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.

The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.


Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.

This hotfix covers:
  • Standard Bitbucket functionality and features

  • Bitbucket Server and Data Center versions 4.0.0 and later

  • Bitbucket Server and Data Center instances

To install the hotfix:

This hotfix is a zero down time installation - No restart is required after installing the hotfix.

  1. Login to Bitbucket with your administrator account

  2. Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“

  3. Select “Upload App” and provide the URL

    https://jira.atlassian.com/secure/attachment/376655/bitbucket-bserv-11896-hotfix-1.0.0.jar

  4. Click “Upload” and wait for the hotfix to install.

If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from https://jira.atlassian.com/browse/BSERV-11947. You are then able to upload the Jar file using the same steps above.

After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.


Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Sep 17, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.