Bitbucket Server Security Advisory 2020-01-15
Bitbucket Server and Data Center - Remote Code Execution (RCE) Vulnerabilities
Summary | January 2020 Bitbucket Server and Data Center Advisory - Remote Code Execution (RCE) vulnerabilities. |
---|---|
Advisory Release Date | 10 AM PDT (Pacific Time, -7 hours) |
Product | Bitbucket Server Bitbucket Data Center |
Affected Bitbucket Server and Data Center Versions |
|
Fixed Bitbucket Server and Data Center Versions |
|
CVE ID(s) |
|
Summary of Vulnerability
This advisory discloses critical severity security vulnerabilities in the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions").
Customers who have downloaded and installed any of the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions") are affected.
Please upgrade your Bitbucket Server and Data Center installations immediately to fix this vulnerability.
Customers using Bitbucket Cloud are not affected.
Bitbucket Smart Mirrors are not affected.
Customers who have upgraded Bitbucket Server and Data Center to versions 5.16.11, 6.0.11, 6.1.9, 6.2.7, 6.3.6, 6.4.4, 6.5.3, 6.6.3, 6.7.3, 6.8.2, 6.9.1 or higher are not affected.
Remote Code Execution (RCE) via certain user input fields - CVE-2019-15010
Severity
Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Bitbucket Server and Data Center versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server or Data Center instance.
The versions of Bitbucket Server and Data Center affected by this vulnerability are:
- from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
- from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
- from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
- from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
- from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
- from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
- from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
- from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
- from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
- from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
- from version 6.9.x before 6.9.1 (fixed version for 6.9.x)
This issue can be tracked here: BSERV-12098 - Getting issue details... STATUS
Acknowledgements
Credit for finding this vulnerability goes to voidfyoo of Chaitin Tech.
Remote Code Execution (RCE) via post-receive hook - CVE-2019-20097
Severity
Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Bitbucket Server and Data Center versions starting from 1.0.0 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Data Center systems, using a file with specially crafted content.
The versions of Bitbucket Server and Data Center affected by this vulnerability are:
- from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
- from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
- from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
- from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
- from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
- from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
- from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
- from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
- from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
- from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
- from version 6.9.x before 6.9.1 (fixed version for 6.9.x)
This issue can be tracked here: BSERV-12099 - Getting issue details... STATUS
Acknowledgements
Credit for this finding goes to thanat0s from Chaitin Tech.
Remote Code Execution (RCE) via edit-file request - CVE-2019-15012
Severity
Atlassian has given this vulnerability critical CVSS score. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Bitbucket Server and Data Center versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victim's Bitbucket Server or Data Center instance using the edit-file endpoint, if the user Bitbucket Server or Data Center is running as has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.
The versions of Bitbucket Server and Data Center affected by this vulnerability are:
- from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
- from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
- from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
- from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
- from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
- from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
- from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
- from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
- from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
- from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
- from version 6.9.x before 6.9.1 (fixed version for 6.9.x)
This issue can be tracked here: BSERV-12100 - Getting issue details... STATUS
Acknowledgements
Credit for this finding goes to the Atlassian Bitbucket Server and Data Center development team.
Fix
To address these issues, we have released Bitbucket Server and Data Center version:
- 5.16.11 that contains a fix for these issues.
- 6.0.11 that contains a fix for these issues.
- 6.1.9 that contains a fix for these issues.
- 6.2.7 that contains a fix for these issues.
- 6.3.6 that contains a fix for these issues.
- 6.4.4 that contains a fix for these issues.
- 6.5.3 that contains a fix for these issues.
- 6.6.3 that contains a fix for these issues.
- 6.7.3 that contains a fix for these issues.
- 6.8.2 that contains a fix for these issues.
- 6.9.1 that contains a fix for these issues.
These versions can be downloaded at https://www.atlassian.com/software/bitbucket/download-archives, with the latest version at https://www.atlassian.com/software/bitbucket/download.
What You Need to Do
Atlassian recommends that you upgrade to the latest version (6.9.1). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket Server and Data Center from the Atlassian website.
If you can't upgrade to the latest version (6.9.1):
If you have feature version… | …then upgrade to this bugfix version: |
---|---|
1.x.x, 2.x.x, 3.x.x, 4.x.x or 5.x.x | 5.16.11 |
6.0.x | 6.0.11 |
6.1.x | 6.1.9 |
6.2.x | 6.2.7 |
6.3.x | 6.3.6 |
6.4.x | 6.4.4 |
6.5.x | 6.5.3 |
6.6.x | 6.6.3 |
6.7.x | 6.7.3 |
6.8.x | 6.8.2 |
Mitigation
If you are unable to upgrade Bitbucket server or Data Center immediately, then as a temporary workaround, you can follow the following steps:
- For CVE-2019-15012, the edit-file feature can be disabled by following the steps below:
In bitbucket.properties, set feature.file.editor=false
For more information, look at: https://confluence.atlassian.com/bitbucketserver/bitbucket-server-config-properties-776640155.html
There are no known workarounds for CVE-2019-15010 or CVE-2019-20097, so it's important to upgrade to a fixed version as soon as possible.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Security Bug Fix Policy | As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |