FAQ for CVE-2022-36804
Atlassian Knowledge Base
- Application Links Troubleshooting Guide
- Database Troubleshooting and How-to Guides
- Best practices for performance troubleshooting tools
- SSL/TLS Troubleshooting
- Cross Product Knowledge
- Proxying Atlassian Server applications
- Atlassian Account Troubleshooting
- Mapping Web Resources to Code
- Subscribe to Proactive Announcements
- How to capture HTTP traffic using Wireshark, Fiddler, or tcpdump
- Cross Site Request Forgery (CSRF) protection changes in Atlassian REST
- Purchased Add-ons feature is unavailable
- Single Sign-on Integration with Atlassian products
- Troubleshooting Services
- Test disk access speed for a Java application
- User Management Troubleshooting and How-To Guides
- Atlassian login issues
- JQL with OR results in error.
- How to set the timezone for the Java environment
- Websudo is disabled after migration from JIRA cloud to JIRA server
- Health Check: Lucene index files location
- Health Check: Thread Limit
- Editor Window is Small After Upgrading where as the preview is Normal window size
- Basic authentication fails for outgoing proxy in Java 8u111
- All Atlassian knowledge base articles
- Creating A Jira Administrator That Does Not Count Towards License
- Users are unable to log in to JIRA (LDAP: error code 49, data 52e)
- User unable to login into Crowd after Crowd was upgraded
- How to use the Performance Data Collector
- Ports used by Atlassian Applications
- How to define Xmx based on GC logs
- How to log in to my Atlassian cloud site for the first time
- How to block access to a specific URL at Tomcat
- User-installed apps health check fails in Data Center when configuring CDN
- HTTP2 health check fails in Data Center when configuring CDN
- How to configure Apache for caching and HTTP/2
- How to Unsubscribe from Jira Server or Confluence Server apps on TestFlight (Server and Data Center)
- Unable to synchronize with Active Directory due to SSL requirement (Server and Data Center)
- Jira Align - Jira Connector pages do not load completely
- Jira Align - Work In Process by Value Stream is missing work items
- JVM is not reachable with jstat and jstack
- Data pipeline troubleshooting
- Using JDK 11 to develop apps with the Atlassian SDK is not yet supported
- How to download Atlassian Marketplace apps through the command line
- How to manage named contacts for Atlassian Premier Support (on-premises)
- Bidirectional characters warning in Atlassian products
- FAQ for CVE-2021-42574
- Jira is logging multiple cache flushes in the application logs (Server and Data Center)
- FAQ for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105
- On-Prem Upgrade Information (March 2022)
- FAQ for CVE-2022-22965
- FAQ for CVE-2022-0540
- Troubleshooting Configure Fields in Jira Server and Data Center
- FAQ for CVE-2022-26134
- How to disable custom Configure Fields in Create Issue screen in Jira Server and Data Center
- FAQ for CVE-2022-26135
- FAQ for CVE-2022-26138
- FAQ for CVE-2022-26136 / CVE-2022-26137
- FAQ for CVE-2022-36804
- Atlassian Authentication App
- FAQ for CVE-2022-43782
- Allowlist URL's for Jira-Slack integration
- FAQ for CVE-2023-22501
- Cannot start Jira over another node via pbrun command (Server and Data Center)
- Attachment health check shows warning message when a custom attachment page is used in Jira Server and Data Center
- FAQ for CVE-2019-13990
- FAQ for CVE-2022-1471
- FAQ for CVE-2023-22515
- FAQ for CVE-2023-22518
- FAQ for CVE-2023-46604
- FAQ for CVE-2023-22523
- FAQ for CVE-2023-22522
- FAQ for CVE-2023-22524
- FAQ for CVE-2023-22527
- Using a temporary license before upgrading to Cloud or Data Center
- Guide for Atlassian Premier Support Named Contacts: On-Premises Product Support Essentials
On this page
Related content
- No related content found
General Information
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with read permissions to a public or private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
I use the bitbucket.org domain to access my repositories, should I be worried?
No, If you access your repositories via the bitbucket.org domain, this means that you are using Bitbucket Cloud and you are not vulnerable.
Are other Atlassian Server (DC) products affected by this vulnerability?
This vulnerability is specific to Bitbucket Server and Data Center so other Atlassian Server/DC products such as Crowd, Jira, Confluence, or Bamboo are not affected. If you think your instance has been compromised, please work with local security teams to scope the full impact and mitigation plans. Please also contact Atlassian Support immediately by opening a high-priority support case.
Are all Bitbucket Server/DC instances affected?
All Bitbucket Server and Datacenter versions released after 6.10.17 are affected, this means that all instances that are running any version between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.
The full list of affected versions can be found at the bug report BSERV-13438 - Getting issue details... STATUS
What needs to be done: Atlassian recommends that you upgrade to one of versions mentioned in "Fixed versions" section of the advisory. For a full description of the latest versions, see the Bitbucket Server and Data Center Release Notes. You can download the most recent binaries from the download center.
On which versions of Bitbucket Server/DC was this vulnerability fixed?
Please refer to the following list of fixed versions that were released for Bitbucket Server:
Supported Version | Fixed version |
---|---|
7.6.17 (LTS) or newer | |
7.17.10 (LTS) or newer | |
7.21.4 (LTS) or newer | |
8.0.3 or newer | |
8.1.3 or newer | |
8.2.2 or newer | |
8.3.1 or newer |
Is it possible to mitigate this vulnerability by changing my proxy settings?
While this seems like a good idea at first, block lists are prone to bypass and therefore not reliable enough for us to suggest as a viable workaround for this type of vulnerability. There are too many encoding considerations to account for and it would be nearly impossible for us to be sure that we would have covered them all. In fact, we have tried to provide guidance on how to block malicious requests in the past, but unfortunately, this alternative has proven to be unreliable.
Why hasn't this bugfix been released for the version I'm using?
As per our Bug fix policy, we are committed to backporting critical security bug fixes to all LTS versions released in the last 2 years and to all feature versions released within 6 months of the fix release date, which means that any version below 7.19.x that is not an LTS (Long Term Support) version will not receive the fix for this or any other future security bug. If you want to ensure your version of Bitbucket get the latest bug fixes in the future, we recommend ensuring you upgrade before your version reaches end of life.
I need help upgrading, what should I do?
For detailed information and step-by-step instructions related to upgrading, please see Bitbucket Data Center Upgrade Guide for more information, or if you are not running Bitbucket in a cluster, please follow the instructions under our Bitbucket Server upgrade guide. This is our recommended, supported method for upgrading Bitbucket Server, and it contains all the information in this comment as well as other helpful tips to ensure your upgrade is successful.
For upgrading Bitbucket Data Center using Zero Downtime, please see Upgrade Bitbucket Data Center with Zero downtime for more information.
Testing
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see How to establish staging server environments for Bitbucket Server.
If you still have questions or concerns, please raise a support request at https://support.atlassian.com/
My instance does not have any public repositories, what should I do? Am I safe?
If the Bitbucket Server/DC instance does not have any public repositories, the risk of an exploit/attack will be lower as users will need to have a Bitbucket account in order to exploit this vulnerability. However, out of an abundance of caution, the guidance on the advisory details page still applies.
Do I need to upgrade all my Mirrors as well?
This vulnerability is exploited via REST APIs and all known susceptibles endpoints are blocked on mirrors, however, an exploit from another path may be possible as the vulnerable command line argument handler still exists in mirrors, so we do recommend also upgrading your mirrors.
How does Atlassian decide who to send these emails to?
Atlassian sends a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
Can we determine if Bitbucket has already been compromised?
Unfortunately, Atlassian cannot confirm if a Bitbucket instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation.
Atlassian recommends checking the integrity of the Bitbucket filesystem, for example, comparison of artifacts in their current state with recent backups to see if there are any unexpected differences.
All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as (syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes. Upgrading to a fixed version of Bitbucket Server and Data Center is the only way to ensure that your instance is protected against CVE-2022-36804.
How do I know if the patch works? Will Atlassian give me more details so that I can have my security team test the fix?
In our public ticket for the issue, we share that this is an unauthenticated remote code execution vulnerability via API endpoints. While we can’t share the payloads which successfully exploit vulnerable instances, this may provide a good starting point for customers with penetration test teams.
The risk in sharing too much detail is that malicious actors would be able to develop an exploit to use against other vulnerable Bitbucket instances.
Related content
- No related content found