Aug 29 2022

Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers

Category: Security vulnerabilitiesDISC @ 11:55 am

Grab and deploy this backend update if you offer even repo read access

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.

Atlassian hasĀ fixedĀ the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild.Ā 

But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we’d suggest you stop what you’re doing and update as soon as possible as it’s safe to assume miscreants are already scanning for vulnerable instances. 

As Atlassian explains in its security advisory, published mid-last week: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”

Additionally, the Center for Internet Security hasĀ labeledĀ the flaw a “high” security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.

Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There’s aĀ compatibility matrixĀ to help users find the Mesh version that’s compatible with the Bitbucket Data Center version.

And if you need to postpone a Bitbucket update, Atlassian advisesĀ turning offĀ public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, “this can not be considered a complete mitigation as an attacker with a user account could still succeed,” according to the advisory.

Security researcherĀ @TheGrandPewĀ discovered and reported the vulnerability via Atlassian’s bug bounty program.

This latest bug follows a series of hits for the popular enterprise collaboration software maker. 

Last month, AtlassianĀ warnedĀ users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security. It detailed the so-called Servlet Filter dispatcher vulnerabilities in itsĀ July security updates, and said the flaw allowed remote, unauthenticated attackers to bypass authentication used by third-party apps.

In June, AtlassianĀ copped toĀ another critical flaw in Confluence that was under active attack.

Plus, there was also the two-week-longĀ embarrassing cloud outageĀ that affected almost 800 customers this spring. This is less than half a percent of the company’s total customers, but still, as co-founder and co-CEO Mike Cannon-BrookesĀ admittedĀ on the firm’s most recent earnings call, it’s “one customer is too many.” And definitely not a good look for a cloud collaboration business. Ā®

Guide for Atlassian Confluence and its marketplace

DISC InfoSec

#InfoSecTools and #InfoSectraining



Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Atlassian, Critical hole