Multiple Products Security Advisory - Git Buffer Overflow - CVE-2022-41903, CVE-2022-23521

Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Summary

Git Buffer Overflow in Multiple Products

Advisory Release Date

 10:00 AM PDT (Pacific Time, -7 hours)

Affected Products

  • Bitbucket Server and Data Center

  • Bamboo Server and Data Center

  • Fisheye

  • Crucible

  • Sourcetree


Atlassian Cloud sites are not affected

Fixes have been deployed to Atlassian Cloud sites. If your Atlassian site is accessed via a bitbucket.org or an atlassian.net domain, it is an Atlassian Cloud site

CVE ID(s)

CVE-2022-41903
CVE-2022-23521

Summary of Vulnerabilities

This advisory addresses a pair of critical security vulnerabilities in Git that affect multiple Atlassian products.

CVE-2022-41903 - Heap overflow in git archive, git log --format

Git Security Advisory - CVE-2022-41903

git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive via the export-subst gitattribute.

When processing the padding operators for formatting (e.g., %<(, %<|(, %>(, >>(, or %><(), an integer overflow can occur. This overflow can be triggered directly by a user running a command that invokes the commit formatting machinery, or indirectly through git archive and the export-subst mechanism.

The integer overflow results in arbitrary heap writes, which may result in remote code execution.

CVE-2022-23531 - gitattributes parsing integer overflow

Git Security Advisory - CVE-2022-23521

gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern.

When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the commit history.

This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.

Severity

Atlassian rates the severity level of these vulnerabilities as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected Products

Git has released patches for both vulnerabilities for the following versions of Git

  • >= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1

Please refer to the official Git security advisories for more information:

Bitbucket Server and Data Center

Affected Versions

All versions of Bitbucket Server and Bitbucket Data Center are affected.

Patch Recommendations

Git Configuration

Recommendation

For customers providing Git themselves

Atlassian recommends customers upgrade to the latest patched and supported version of Git available.

Please refer to the supported platforms page for your version of Bitbucket to see if it supports a patched version of Git.

Customers using versions of Bitbucket Server and Data Center < 7.9 will need to upgrade Bitbucket to a later version to support a patched version of Git.

However, for customers running Bitbucket 7.6, the Bitbucket Team has tested and confirmed that Git v2.30.7 should work.

For customers using a Bitbucket Docker Image

All images in the support lifecycle for Bitbucket have been updated to use a patched version of Git.

Please re-download the images to pull the latest changes.

Similarly, customers that pin a Bitbucket image to a hash need to update to the latest hash version associated with the respective image tag.

For customers using Git for Windows

The Bitbucket team has released version v7.21.9, which adds support for Git v2.39.x.

Please update to the latest patched and supported version of Git available.

Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

Bamboo Server and Data Center

Affected Versions

All versions of Bamboo are affected.

Patch Recommendations

Git Configuration

Recommendation

For customers providing Git themselves

Atlassian recommends customers update Git at the Bamboo server and remote agents to the latest patched and supported version available.

Please refer to the supported platforms page for your version of Bamboo to see if it supports a patched version of Git.

For customers using a Bamboo Docker Image

All images in the support lifecycle have been updated to use a patched version of Git.

Please re-download the images to pull the latest changes.

Similarly, customers that pin a Bamboo image to a hash need to update to the latest hash version associated with the respective image tag.

For customers using Elastic Bamboo

New AMIs have been prepared with a patched Git Version for Linux and Windows in supported regions in the upcoming Bamboo 9.1.3 release. Customers not wanting to wait for the release can add a line to update Git in the image startup script at the existing image configuration screen or download and use the AMIs before the official release.

For customers using Git for Windows

Please update to the latest version of Git for Windows

Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

Fisheye Server

Affected Versions

All versions of Fisheye are affected.

Patch Recommendations

Git Configuration

Recommendation

For customers providing Git themselves

Atlassian recommends customers upgrade to the latest patched and supported version of Git available.

Please refer to the supported platforms page for your version of Fisheye to see if it supports a patched version of Git.

For customers using a Fisheye Docker Image

All images in the support lifecycle have been updated to use a patched version of Git.

Please re-download the images to pull the latest changes.

Similarly, customers that pin a Fisheye image to a hash need to update to the latest hash version associated with the respective image tag.

For customers using Git for Windows

Please update to the latest version of Git for Windows

Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

Crucible Server

Affected Versions

All versions of Crucible are affected

Patch Recommendations

Git Configuration

Recommendation

For customers providing Git themselves

Atlassian recommends customers upgrade to the latest patched and supported version of Git available.

Please refer to the supported platforms page for your version of Crucible to see if it supports a patched version of Git.

For customers using a Crucible Docker Image

All images in the support lifecycle have been updated to use a patched version of Git.

Please re-download the images to pull the latest changes.

Similarly, customers that pin a Crucible image to a hash need to update to the latest hash version associated with the respective image tag.

For customers using Git for Windows

Please update to the latest version of Git for Windows

Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

Sourcetree

Affected Versions

All versions of Sourcetree for Mac and Windows are vulnerable.

Fixed Versions

The Sourcetree team is actively working on updating embedded Git binaries to v2.39.1 for the next product release version.

  • Mac: v4.2.2

  • Windows: v3.4.12

Mitigation

While the Sourcetree team is working on updating the embedded Git binary, we recommend customers switch Sourcetree to use a patched system Git version.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy.  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Feb 17, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.