Atlassian Products & Services and CVE-2018-11235 & CVE-2018-11233
We are aware of several security issues that were recently fixed in Git. This page contains information about which products are affected by CVE-2018-11235 (arbitrary code execution through exploiting git submodule names) & CVE-2018-11233 (code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory) and where applicable workarounds that you can use. We strongly recommends that you update all of your client Git installations to a fixed version of Git.
The following products and services are not affected by CVE-2018-11235 or CVE-2018-11233
- Bitbucket Cloud
- Confluence Cloud
- Confluence Server
- Crowd
- Jira Cloud
- Jira Core
- Jira Software
- Jira Service Desk
- Jira Data Center
These products do not use Git and therefore are not vulnerable to these issues. However, if git is installed on the same system as one of these products, we recommend updating Git.
Products affected by CVE-2018-11233
Products listed under this section may be affected by CVE-2018-11233 (code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory).
Bitbucket Server
Bitbucket Server running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Bitbucket Server user. For those running on Windows, we recommend updating Bitbucket Server with a patched version of Git. Information on updating Git can be found at https://confluence.atlassian.com/bitbucketserver/installing-and-upgrading-git-776640906.html.
Bitbucket Server itself is not vulnerable to CVE-2018-11235, regardless of platform, but we strongly recommend updating your client Git installations with a patched version of Git. The following versions of Git contain patches for CVE-2018-11233 and CVE-2018-11235:
- Git 2.17.1
- Git 2.16.4
- Git 2.15.2
- Git 2.14.4
- Git 2.13.7
Be aware that the advice found below for enabling transfer.fsckObjects
can result in significantly higher disk and CPU usage when servicing clone, fetch, pull and push operations. We recommend monitoring system utilization to ensure the increased load doesn't cause performance issues. Additionally, once you have upgraded all of your Git clients we recommend disabling the transfer.fsckObjects
option again.
Additionally, after upgrading to a fixed version of Git on Bitbucket Server, you may want to consider globally enabling the transfer.fsckObjects
Git option to help prevent exploitation of vulnerable Git client installations until all clients have been patched.
This can be done by running the following command as the user that Bitbucket Server runs as.
git config --global --bool transfer.fsckObjects true
Crucible and Fisheye
Crucible does not come bundled with Git and currently uses the version that is installed on your system. Crucible is not affected by CVE 2018-11235. However, Crucible running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Crucible user. For those running on Windows, we recommend updating Crucible with a patched version of Git.
Fisheye does not come bundled with Git and currently uses the version that is installed on your system. Fisheye is not affected by CVE 2018-11235. However, Fisheye running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Fisheye user. For those running on Windows, we recommend updating Fisheye with a patched version of Git.
Products affected by CVE 2018-11233 and CVE-2018-11235
Products listed under this section may be affected by CVE-2018-11235 (arbitrary code execution through exploiting git submodule names) and CVE-2018-11233 (code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory).
Bamboo
Bamboo version 6.6.0 and higher have stock elastic images that contain fixes for CVE-2018-11233 and CVE-2018-11235.
Bamboo does not come bundled with git and currently uses the version that is installed on your system. Bamboo running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Bamboo user. For those running on Windows, we recommend updating Bamboo with a patched version of Git. While Bamboo Server is not affected by CVE 2018-11235, Bamboo agents can be affected by CVE 2018-11235. Bamboo version 6.6.0 and higher have stock elastic images that contain fixes for CVE-2018-11233 and CVE-2018-11235. We recommend updating your Bamboo agents client Git installations with a patched version of Git. The following versions of Git contain patches for CVE-2018-11233 and CVE-2018-11235:
- Git 2.17.1
- Git 2.16.4
- Git 2.15.2
- Git 2.14.4
- Git 2.13.7
Bitbucket Pipelines
We have updated the version of Git used in the Bitbucket Pipelines container to fix these issues.
Git is executed inside a build container which is a sandboxed environment. Therefore, Bitbucket Pipelines is not itself impacted by CVE 2018-11235 and is not vulnerable to CVE 2018-11233 as it does not use the NTFS filesystem. Prior to us updating the version of Git used in the build container, attackers who had write access to a repository and could setup a malicious git submodule to exploit CVE 2018-11235 in pipelines builds.
Sourcetree for Mac and Sourcetree for Windows
We have released fixed versions of Sourcetree for Mac and Sourcetree for Windows which are available for download from https://www.sourcetreeapp.com/.
Sourcetree for Mac and Sourcetree for Windows are affected by CVE 2018-11235 if you clone with the recursive option enabled or otherwise interact with a submodule. We have released version 2.7.6 of Sourcetree for Mac, which can be download from https://www.sourcetreeapp.com/, that updates the embedded version of Git to 2.17.1. We have also released version 2.6.9 for Sourcetree for Windows that upgrades the embedded version of Git to 2.17.1(2), available for download at https://www.sourcetreeapp.com/ or https://www.sourcetreeapp.com/enterprise/ for Enterprise deployments. If you can't upgrade for some reason we recommend installing and using as detailed in our article about configuring Git.
Products and Services not listed on this page
If you were not able to find information on a product or service listed on this page and are wondering about how CVE 2018-11233 & CVE 2018-11235 may affect it then open a support request at https://support.atlassian.com.