This article is more than 1 year old
Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
Grab and deploy this backend update if you offer even repo read access
A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild.
But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we'd suggest you stop what you're doing and update as soon as possible as it's safe to assume miscreants are already scanning for vulnerable instances.
As Atlassian explains in its security advisory, published mid-last week: "An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request."
Additionally, the Center for Internet Security has labeled the flaw a "high" security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.
Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There's a compatibility matrix to help users find the Mesh version that's compatible with the Bitbucket Data Center version.
And if you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, "this can not be considered a complete mitigation as an attacker with a user account could still succeed," according to the advisory.
Security researcher @TheGrandPew discovered and reported the vulnerability via Atlassian's bug bounty program.
- If you haven't patched Zimbra holes by now, assume you're toast
- Warning over Java libraries and deserialization security weaknesses
- Atlassian reveals critical flaws in almost everything it makes and touches
- Atlassian boasts strong Q3 revenue growth in wake of two-week outage
This latest bug follows a series of hits for the popular enterprise collaboration software maker.
Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security. It detailed the so-called Servlet Filter dispatcher vulnerabilities in its July security updates, and said the flaw allowed remote, unauthenticated attackers to bypass authentication used by third-party apps.
In June, Atlassian copped to another critical flaw in Confluence that was under active attack.
Plus, there was also the two-week-long embarrassing cloud outage that affected almost 800 customers this spring. This is less than half a percent of the company's total customers, but still, as co-founder and co-CEO Mike Cannon-Brookes admitted on the firm's most recent earnings call, it's "one customer is too many." And definitely not a good look for a cloud collaboration business. ®