Bitbucket Server Security Advisory 2020-01-15

Bitbucket Server and Data Center - Remote Code Execution (RCE) Vulnerabilities

Summary

January 2020 Bitbucket Server and Data Center Advisory - Remote Code Execution (RCE) vulnerabilities.

Advisory Release Date

 10 AM PDT (Pacific Time, -7 hours)

Product

Bitbucket Server

Bitbucket Data Center

Affected Bitbucket Server and Data Center Versions

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
  • All 5.x.x versions before 5.16.11
  • All 6.0.x versions before 6.0.11
  • All 6.1.x versions before 6.1.9
  • All 6.2.x versions before 6.2.7
  • All 6.3.x versions before 6.3.6
  • All 6.4.x versions before 6.4.4
  • All 6.5.x versions before 6.5.3
  • All 6.6.x versions before 6.6.3
  • All 6.7.x versions before 6.7.3
  • All 6.8.x versions before 6.8.2
  • All 6.9.x versions before 6.9.1

Fixed Bitbucket Server and Data Center Versions

  • Version 5.16.11 for versions 1.x.x to 5.x.x
  • Version 6.0.11 for versions 6.0.x
  • Version 6.1.9 for versions 6.1.x
  • Version 6.2.7 for versions 6.2.x
  • Version 6.3.6 for versions 6.3.x
  • Version 6.4.4 for versions 6.4.x
  • Version 6.5.3 for versions 6.5.x
  • Version 6.6.3 for versions 6.6.x
  • Version 6.7.3 for versions 6.7.x
  • Version 6.8.2 for versions 6.8.x
  • Version 6.9.1 for versions 6.9.x
CVE ID(s)
  • CVE-2019-15010
  • CVE-2019-20097
  • CVE-2019-15012


Summary of Vulnerability

This advisory discloses critical severity security vulnerabilities in the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions").

Customers who have downloaded and installed any of the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions") are affected.

Please upgrade your Bitbucket Server and Data Center installations immediately to fix this vulnerability.

Customers using Bitbucket Cloud are not affected.

Bitbucket Smart Mirrors are not affected.

Customers who have upgraded Bitbucket Server and Data Center to versions 5.16.11, 6.0.11, 6.1.9, 6.2.7, 6.3.6, 6.4.4, 6.5.3, 6.6.3, 6.7.3, 6.8.2, 6.9.1 or higher are not affected.

Remote Code Execution (RCE) via certain user input fields - CVE-2019-15010

Severity

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server or Data Center instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12098 - Getting issue details... STATUS

Acknowledgements

Credit for finding this vulnerability goes to voidfyoo of Chaitin Tech.

Remote Code Execution (RCE) via post-receive hook - CVE-2019-20097

Severity

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions starting from 1.0.0 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Data Center systems, using a file with specially crafted content.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12099 - Getting issue details... STATUS

Acknowledgements

Credit for this finding goes to thanat0s from Chaitin Tech.

Remote Code Execution (RCE) via edit-file request - CVE-2019-15012

Severity

Atlassian has given this vulnerability critical CVSS score. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victim's Bitbucket Server or Data Center instance using the edit-file endpoint, if the user Bitbucket Server or Data Center is running as has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12100 - Getting issue details... STATUS

Acknowledgements

Credit for this finding goes to the Atlassian Bitbucket Server and Data Center development team.



Fix

To address these issues, we have released Bitbucket Server and Data Center version:

  • 5.16.11 that contains a fix for these issues.
  • 6.0.11 that contains a fix for these issues.
  • 6.1.9 that contains a fix for these issues.
  • 6.2.7 that contains a fix for these issues.
  • 6.3.6 that contains a fix for these issues.
  • 6.4.4 that contains a fix for these issues.
  • 6.5.3 that contains a fix for these issues.
  • 6.6.3 that contains a fix for these issues.
  • 6.7.3 that contains a fix for these issues.
  • 6.8.2 that contains a fix for these issues.
  • 6.9.1 that contains a fix for these issues.

These versions can be downloaded at https://www.atlassian.com/software/bitbucket/download-archives, with the latest version at https://www.atlassian.com/software/bitbucket/download.

What You Need to Do

Atlassian recommends that you upgrade to the latest version (6.9.1). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket Server and Data Center from the Atlassian website.


If you can't upgrade to the latest version (6.9.1):

If you have feature version…

…then upgrade to this bugfix version:

1.x.x, 2.x.x, 3.x.x, 4.x.x or 5.x.x

5.16.11

6.0.x

6.0.11
6.1.x6.1.9
6.2.x6.2.7
6.3.x6.3.6
6.4.x6.4.4
6.5.x6.5.3
6.6.x6.6.3
6.7.x6.7.3
6.8.x6.8.2


Mitigation

If you are unable to upgrade Bitbucket server or Data Center immediately, then as a temporary workaround, you can follow the following steps:

There are no known workarounds for CVE-2019-15010 or CVE-2019-20097, so it's important to upgrade to a fixed version as soon as possible.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug Fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Jan 28, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.