FAQ for CVE-2022-36804
General Information
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with read permissions to a public or private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
I use the bitbucket.org domain to access my repositories, should I be worried?
No, If you access your repositories via the bitbucket.org domain, this means that you are using Bitbucket Cloud and you are not vulnerable.
Are other Atlassian Server (DC) products affected by this vulnerability?
This vulnerability is specific to Bitbucket Server and Data Center so other Atlassian Server/DC products such as Crowd, Jira, Confluence, or Bamboo are not affected. If you think your instance has been compromised, please work with local security teams to scope the full impact and mitigation plans. Please also contact Atlassian Support immediately by opening a high-priority support case.
Are all Bitbucket Server/DC instances affected?
All Bitbucket Server and Datacenter versions released after 6.10.17 are affected, this means that all instances that are running any version between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.
The full list of affected versions can be found at the bug report BSERV-13438 - Getting issue details... STATUS
What needs to be done: Atlassian recommends that you upgrade to one of versions mentioned in "Fixed versions" section of the advisory. For a full description of the latest versions, see the Bitbucket Server and Data Center Release Notes. You can download the most recent binaries from the download center.
On which versions of Bitbucket Server/DC was this vulnerability fixed?
Please refer to the following list of fixed versions that were released for Bitbucket Server:
Supported Version | Fixed version |
|---|---|
7.6.17 (LTS) or newer | |
7.17.10 (LTS) or newer | |
7.21.4 (LTS) or newer | |
8.0.3 or newer | |
8.1.3 or newer | |
8.2.2 or newer | |
8.3.1 or newer |
Is it possible to mitigate this vulnerability by changing my proxy settings?
While this seems like a good idea at first, block lists are prone to bypass and therefore not reliable enough for us to suggest as a viable workaround for this type of vulnerability. There are too many encoding considerations to account for and it would be nearly impossible for us to be sure that we would have covered them all. In fact, we have tried to provide guidance on how to block malicious requests in the past, but unfortunately, this alternative has proven to be unreliable.
Why hasn't this bugfix been released for the version I'm using?
As per our Bug fix policy, we are committed to backporting critical security bug fixes to all LTS versions released in the last 2 years and to all feature versions released within 6 months of the fix release date, which means that any version below 7.19.x that is not an LTS (Long Term Support) version will not receive the fix for this or any other future security bug. If you want to ensure your version of Bitbucket get the latest bug fixes in the future, we recommend ensuring you upgrade before your version reaches end of life.
I need help upgrading, what should I do?
For detailed information and step-by-step instructions related to upgrading, please see Bitbucket Data Center Upgrade Guide for more information, or if you are not running Bitbucket in a cluster, please follow the instructions under our Bitbucket Server upgrade guide. This is our recommended, supported method for upgrading Bitbucket Server, and it contains all the information in this comment as well as other helpful tips to ensure your upgrade is successful.
For upgrading Bitbucket Data Center using Zero Downtime, please see Upgrade Bitbucket Data Center with Zero downtime for more information.
Testing
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see How to establish staging server environments for Bitbucket Server.
If you still have questions or concerns, please raise a support request at https://support.atlassian.com/
My instance does not have any public repositories, what should I do? Am I safe?
If the Bitbucket Server/DC instance does not have any public repositories, the risk of an exploit/attack will be lower as users will need to have a Bitbucket account in order to exploit this vulnerability. However, out of an abundance of caution, the guidance on the advisory details page still applies.
Do I need to upgrade all my Mirrors as well?
This vulnerability is exploited via REST APIs and all known susceptibles endpoints are blocked on mirrors, however, an exploit from another path may be possible as the vulnerable command line argument handler still exists in mirrors, so we do recommend also upgrading your mirrors.
How does Atlassian decide who to send these emails to?
Atlassian sends a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
Can we determine if Bitbucket has already been compromised?
Unfortunately, Atlassian cannot confirm if a Bitbucket instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation.
Atlassian recommends checking the integrity of the Bitbucket filesystem, for example, comparison of artifacts in their current state with recent backups to see if there are any unexpected differences.
All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as (syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes. Upgrading to a fixed version of Bitbucket Server and Data Center is the only way to ensure that your instance is protected against CVE-2022-36804.
How do I know if the patch works? Will Atlassian give me more details so that I can have my security team test the fix?
In our public ticket for the issue, we share that this is an unauthenticated remote code execution vulnerability via API endpoints. While we can’t share the payloads which successfully exploit vulnerable instances, this may provide a good starting point for customers with penetration test teams.
The risk in sharing too much detail is that malicious actors would be able to develop an exploit to use against other vulnerable Bitbucket instances.