{"id":20258,"date":"2022-10-03T16:10:37","date_gmt":"2022-10-04T00:10:37","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/10\/03\/news-13991\/"},"modified":"2022-10-03T16:10:37","modified_gmt":"2022-10-04T00:10:37","slug":"news-13991","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/10\/03\/news-13991\/","title":{"rendered":"Actively exploited vulnerability in Bitbucket Server and Data Center"},"content":{"rendered":"

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities<\/a>. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center<\/a>. The other two are the Exchange Server zero-day vulnerabilities<\/a> we wrote about last week.<\/p>\n

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.<\/p>\n

Mitigation<\/h2>\n

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.<\/p>\n\n\n\n\n\n\n\n\n\n\n
\n

Supported Version<\/span><\/b><\/p>\n<\/td>\n

\n

Bug Fix Release<\/span><\/b><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 7.6<\/a><\/span><\/p>\n<\/td>\n

\n

7.6.17 (LTS<\/a>) or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 7.17<\/a><\/span><\/p>\n<\/td>\n

\n

7.17.10 (LTS<\/a>) or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 7.21<\/a><\/span><\/p>\n<\/td>\n

\n

7.21.4 (LTS<\/a>) or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 8.0<\/a><\/span><\/p>\n<\/td>\n

\n

8.0.3 or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 8.1<\/a><\/span><\/p>\n<\/td>\n

\n

8.1.3 or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 8.2<\/a><\/span><\/p>\n<\/td>\n

\n

8.2.2 or newer<\/span><\/p>\n<\/td>\n<\/tr>\n

\n

Bitbucket Server and Data Center 8.3<\/a><\/span><\/p>\n<\/td>\n

\n

8.3.1 or newer<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

You can download the latest version of Bitbucket from the download center<\/a>. Visit the Frequently Asked Questions (FAQ)<\/a> page if you have any questions.<\/p>\n

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.<\/p>\n

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.<\/p>\n

Vulnerability<\/h2>\n

The Remote Code Execution vulnerability was found by Maxwell Garret<\/a> a security researcher at  Assetnote<\/a> and assigned CVE-2022-36804<\/a>. The vulnerability was rated as critical, which indicates a CVSS score<\/a> between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.<\/p>\n

Discovery<\/h2>\n

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise<\/a>.<\/p>\n

Exploitation<\/h2>\n

The proof-of-concept (PoC) exploit was made public<\/a> on September 19, 2022. Attackers did not wait long. Some were observed scanning<\/a> for vulnerable instances as early as September 20th.<\/p>\n

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.<\/p>\n

\n

WARNING: An exploit kit is now available for CVE-2022-36804 affecting @Atlassian<\/a> @Bitbucket<\/a> Server and Data Center. More information on https:\/\/t.co\/ccK9ng8j58<\/a>
If you haven’t done so already, it’s time to #patch<\/a> #patch<\/a> #patch<\/a> https:\/\/t.co\/fytm6ZEGiw<\/a><\/p>\n

— CERT.be (@certbe) September 27, 2022<\/a><\/p><\/blockquote>\n