FAQ for CVE-2022-43781
General Information
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.
This page contains frequently asked questions and answers about this vulnerability. The Atlassian Security Team will continuously update this page as new information becomes available.
Are Cloud instances affected?
No, Atlassian cloud instances are not vulnerable and no customer action is required.
I use the bitbucket.org domain to access my repositories, should I be worried?
No, If you access your repositories via the bitbucket.org domain, this means that you are using Bitbucket Cloud and you are not vulnerable.
Are other Atlassian Server (DC) products affected by this vulnerability?
This vulnerability is specific to Bitbucket Server and Data Center so other Atlassian Server/DC products such as Crowd, Jira, Confluence, or Bamboo are not affected. If you think your instance has been compromised, please work with local security teams to scope the full impact and mitigation plans. Please also contact Atlassian Support immediately by opening a high-priority support case.
Are all Bitbucket Server/DC instances affected?
Please refer to the following list of affected versions of Bitbucket Server:
Product | Affected Versions |
|---|---|
Bitbucket Server and Data Center |
If mesh.enabled=false is set in bitbucket.properties:
|
What needs to be done: Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center.
On which versions of Bitbucket Server/DC was this vulnerability fixed?
Please refer to the following list of fixed versions that were released for Bitbucket Server and Data Center:
Product | Fixed Versions |
|---|---|
Bitbucket Server and Data Center |
|
How can I mitigate the risk of this vulnerability?
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you have "Public Signup" turned on and are unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable “Public Signup”. Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.
ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.
Bitbucket Server and Data Center instances running PostgreSQL are not affected.
Why hasn't this bugfix been released for the version I'm using?
As per our Bug fix policy, we are committed to backporting critical security bug fixes to all LTS versions released in the last 2 years and to all feature versions released within 6 months of the fix release date, which means that any version below 7.19.x that is not an LTS (Long Term Support) version will not receive the fix for this or any other future security bug. If you want to ensure your version of Bitbucket get the latest bug fixes in the future, we recommend ensuring you upgrade before your version reaches end of life.
I’m running 8.x and don’t see mesh.enabled in bitbucket.properties, am I vulnerable?
If you are running Bitbucket 8.x and do not see any configuration options for mesh.enabled in bitbucket.properties then you are using the default setting, which is true, and you are not vulnerable.
I’m running 7.x, can I set mesh.enabled=true as a temporary mitigation?
No, the mesh.enabled property is only available in Bitbucket 8.x. An upgrade to a fixed version will be required to remediate this vulnerability.
I need help upgrading, what should I do?
For detailed information and step-by-step instructions related to upgrading, please see Bitbucket Data Center Upgrade Guide for more information, or if you are not running Bitbucket in a cluster, please follow the instructions under our Bitbucket Server upgrade guide. This is our recommended, supported method for upgrading Bitbucket Server, and it contains all the information in this comment as well as other helpful tips to ensure your upgrade is successful.
For upgrading Bitbucket Data Center using Zero Downtime, please see Upgrade Bitbucket Data Center with Zero downtime for more information.
Testing
The most important step to take to avoid production outages is to follow change management best practices by testing the upgrade in a staging environment first. For more information on how to set up a staging environment, see How to establish staging server environments for Bitbucket Server.
If you still have questions or concerns, please raise a support request at https://support.atlassian.com/.
How does Atlassian decide who to send these emails to?
Atlassian sends a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree. To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
Can we determine if Bitbucket has already been compromised?
Unfortunately, Atlassian cannot confirm if a Bitbucket instance has been compromised. Please involve the local security team or a specialist security forensics firm for further investigation.
Atlassian recommends checking the integrity of the Bitbucket filesystem, for example, comparison of artifacts in their current state with recent backups to see if there are any unexpected differences.
All security compromises are different, and there is a risk that an attacker could hide their footprint and change important files such as (syslogs, audit logs, access logs, etc.) depending on the component that has been compromised.
My instance isn't exposed to the Internet. Is an upgrade still recommended?
Yes. Upgrading to a fixed version of Bitbucket Server and Data Center is the only way to ensure that your instance is protected against CVE-2022-43781.