Bitbucket Server Security Advisory 2020-01-15

Bitbucket Server and Data Center - Remote Code Execution (RCE) Vulnerabilities

摘要 January 2020 Bitbucket Server and Data Center Advisory - Remote Code Execution (RCE) vulnerabilities.
发布日期 15 Jan 2020 10 AM PDT (Pacific Time, -7 hours)
涉及产品
  • Bitbucket Server
  • Bitbucket Data Center
影响版本
  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
    All 5.x.x versions before 5.16.11
    All 6.0.x versions before 6.0.11
    All 6.1.x versions before 6.1.9
    All 6.2.x versions before 6.2.7
    All 6.3.x versions before 6.3.6
    All 6.4.x versions before 6.4.4
    All 6.5.x versions before 6.5.3
    All 6.6.x versions before 6.6.3
    All 6.7.x versions before 6.7.3
    All 6.8.x versions before 6.8.2
    All 6.9.x versions before 6.9.1
修复版本
  • Version 5.16.11 for versions 1.x.x to 5.x.x
    Version 6.0.11 for versions 6.0.x
    Version 6.1.9 for versions 6.1.x
    Version 6.2.7 for versions 6.2.x
    Version 6.3.6 for versions 6.3.x
    Version 6.4.4 for versions 6.4.x
    Version 6.5.3 for versions 6.5.x
    Version 6.6.3 for versions 6.6.x
    Version 6.7.3 for versions 6.7.x
    Version 6.8.2 for versions 6.8.x
    Version 6.9.1 for versions 6.9.x
CVE ID(s)
  • CVE-2019-15010
    CVE-2019-20097
    CVE-2019-15012

Summary of vulnerabilities

This advisory discloses critical severity security vulnerabilities in the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions").

Please upgrade your Confluence Server or Data Center installations immediately to fix this vulnerability.

Note:Customers who have upgraded Bitbucket Server and Data Center to versions 5.16.11, 6.0.11, 6.1.9, 6.2.7, 6.3.6, 6.4.4, 6.5.3, 6.6.3, 6.7.3, 6.8.2, 6.9.1 or higher are not affected.

Remote Code Execution (RCE) via certain user input fields - CVE-2019-15010

Severity

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server or Data Center instance. 

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here: BSERV-12098 - Remote Code Execution (RCE) via certain user input fields

Fix

To address these issues, we have released Bitbucket Server and Data Center version:
  • 5.16.11 that contains a fix for these issues.
    6.0.11 that contains a fix for these issues.
    6.1.9 that contains a fix for these issues.
    6.2.7 that contains a fix for these issues.
    6.3.6 that contains a fix for these issues.
    6.4.4 that contains a fix for these issues.
    6.5.3 that contains a fix for these issues.
    6.6.3 that contains a fix for these issues.
    6.7.3 that contains a fix for these issues.
    6.8.2 that contains a fix for these issues.
    6.9.1 that contains a fix for these issues.
    These versions can be downloaded at https://www.atlassian.com/software/bitbucket/download-archives, with the latest version at https://www.atlassian.com/software/bitbucket/download.

What You Need to Do

Atlassian recommends that you upgrade to the latest version (6.9.1). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket Server and Data Center from the Atlassian website.

If you can't upgrade to the latest version (6.9.1):

If you have feature version…

…then upgrade to this bugfix version:

1.x.x, 2.x.x, 3.x.x, 4.x.x or 5.x.x

5.16.11

6.0.x

 6.0.11
6.1.x 6.1.9
6.2.x 6.2.7
6.3.x 6.3.6
6.4.x 6.4.4
6.5.x 6.5.3
6.6.x 6.6.3
6.7.x 6.7.3
6.8.x 6.8.2

 

Mitigation

If you are unable to upgrade Bitbucket server or Data Center immediately, then as a temporary workaround, you can follow the following steps:

There are no known workarounds for CVE-2019-15010 or CVE-2019-20097, so it's important to upgrade to a fixed version as soon as possible.

原文链接:

https://confluence.atlassian.com/bitbucketserver/bitbucket-server-security-advisory-2020-01-15-985498238.html