Atlassian Patches Critical Command Injection Vulnerability in Bitbucket Server and Data Center (CVE-2022-43781)

Atlassian has released a security advisory to address a critical vulnerability in Bitbucket Server and Data Center (CVE-2022-43781).

Bitbucket is a Git-based code hosting and collaboration tool built for teams. Bitbucket Server is hosted on-premises while the Bitbucket Data Center is hosted on several servers in a cluster in your environment.

CVE-2022-43781 is a command injection vulnerability that makes use of environment variables in the Bitbucket Server and Data Center. An attacker is required to have the authority to control their username to exploit the vulnerability. On successful exploitation, an attacker could gain code execution and run codes on the system.
 
Affected versions 
Bitbucket Data Center and Server 

  • 7.0 to 7.5 (all versions) 
  • 7.6.0 to 7.6.18 
  • 7.7 to 7.16 (all versions) 
  • 7.17.0 to 7.17.11 
  • 7.18 to 7.20 (all versions) 
  • 7.21.0 to 7.21.5  

If mesh.enabled=false is set in bitbucket.properties: 

  • 8.0.0 to 8.0.4 
  • 8.1.0 to 8.1.4 
  • 8.2.0 to 8.2.3 
  • 8.3.0 to 8.3.2 
  • 8.4.0 to 8.4.1 

Mitigation 
Customers should update to the following fixed versions: 

  • 7.6.19 or newer 
  • 7.17.12 or newer 
  • 7.21.6 or newer 
  • 8.0.5 or newer 
  • 8.1.5 or newer 
  • 8.2.4 or newer 
  • 8.3.3 or newer 
  • 8.4.2 or newer 
  • 8.5.0 or newer

For more information, customers can refer to the Atlassian Security Advisory.

Workaround 
Atlassian has suggested a temporary workaround for CVE-2022-43781 if the customers are unable to upgrade to the fixed version.  
 
The workaround requires users to disable ‘Public Signup’. This would change the attack vector from an unauthenticated attack to an authenticated one, reducing the risk of exploitation. 
 
To disable this setting, go to Administration > Authentication and clear the Allow Public Signup checkbox. 
  
ADMIN or SYS_ADMIN authenticated users can still exploit the vulnerability when public signup is disabled. 
 
This mitigation should be treated as a temporary workaround and customers are recommended to upgrade to a fixed version as soon as possible. 
 
Qualys Detection 
Qualys customers can scan their devices with QID 730671 to detect vulnerable assets.  
  
Continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html

Leave a Reply

Your email address will not be published. Required fields are marked *