Bitbucket Server のセキュリティ勧告 2019-09-18

Bitbucket - Argument Injection - CVE-2019-15000

要約

CVE-2019-15000 - Argument injection

勧告のリリース日

 10:00 AM PDT (Pacific Time, -7 hours)

製品

Bitbucket Server

Bitbucket Data Center

Affected Bitbucket Server & Bitbucket Data Center Versions

  • バージョン < 5.16.10

  • 6.0.0 <= バージョン < 6.0.10

  • 6.1.0 <= バージョン < 6.1.8

  • 6.2.0 <= バージョン < 6.2.6

  • 6.3.0 <= バージョン < 6.3.5

  • 6.4.0 <= バージョン < 6.4.3

  • 6.5.0 <= バージョン < 6.5.2

ここをクリックして展開...
  • 1.x

  • 2.x

  • 3.x

  • 4.x

  • 5.x before 5.16.10 (the fixed version for 5.16.x)

  • 6.0.x before 6.0.10 (the fixed version for 6.0.x)

  • 6.1.x before 6.1.8 (the fixed version for 6.1.x)

  • 6.2.x before 6.2.6 (the fixed version for 6.2.x)

  • 6.3.x before 6.3.5 (the fixed version for 6.3.x)

  • 6.4.x before 6.4.3 (the fixed version for 6.4.x)

  • 6.5.x before 6.5.2 (the fixed version for 6.5.x)

Fixed Bitbucket Server & Bitbucket Data Center Versions

  • 5.16.10

  • 6.0.10

  • 6.1.8

  • 6.2.6

  • 6.3.5

  • 6.4.3

  • 6.5.2

  • 6.6.0

  • 6.6.1

CVE ID

CVE-2019-15000


脆弱性の概要

This advisory discloses a critical severity security vulnerability in Bitbucket Server and Bitbucket Data Center. The following versions of Bitbucket Server and Bitbucket Data Center are affected by this vulnerability:

  • Before 5.16.10 (the fixed version for 5.16.x )

  • From 6.0.0 before 6.0.10 (the fixed version for 6.0.x)

  • From 6.1.0 before 6.1.8 (the fixed version for 6.1.x)

  • From 6.2.0 before 6.2.6 (the fixed version for 6.2.x)

  • From 6.3.0 before 6.3.5 (the fixed version for 6.3.x)

  • From 6.4.0 before 6.4.3 (the fixed version for 6.4.x)

  • And from 6.5.0 before 6.5.2 (the fixed version for 6.5.x)

Customers who have upgraded Bitbucket to version 5.16.10, 6.0.10, 6.1.8, 6.2.6, 6.3.5, 6.4.3, 6.5.2, 6.6.0, 6.6.1 or higher are not affected.

Customers who have downloaded and installed a Bitbucket version

  • less than 5.16.10 (the fixed version for 5.16.x)

  • >= 6.0.0 less than 6.0.10 (the fixed version for 6.0.x)

  • >= 6.1.0 less than 6.1.8 (the fixed version for 6.1.x)

  • >= 6.2.0 less than 6.2.6 (the fixed version for 6.2.x)

  • >= 6.3.0 less than 6.3.5 (the fixed version for 6.3.x)

  • >= 6.4.0 less than 6.4.3 (the fixed version for 6.4.x)

  • >= 6.5.0 less than 6.5.2 (the fixed version for 6.5.x)

Please upgrade your Bitbucket Server & Bitbucket Data Center installations immediately to fix this vulnerability.


Argument Injection

深刻度

アトラシアンはアトラシアンの深刻度レベルで公開されているスケールに従って、この脆弱性の深刻度レベルを重大として評価しています。このスケールによって、深刻度を重大、高度、中度、低度として評価できます。

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

This issue can be tracked here: https://jira.atlassian.com/browse/BSERV-11947

謝辞

We would like to acknowledge William Bowling for finding this vulnerability.

修正

In order to address this issue we have applied fixes to the following released versions of Bitbucket Server & Data Center:

  1. Version 6.6.1 can be downloaded from here.

  2. Version 6.6.0 can be downloaded from here.

  3. Version 6.5.2 can be downloaded from here.

  4. Version 6.4.3 can be downloaded from here.

  5. Version 6.3.5 can be downloaded from here.

  6. Version 6.2.6 can be downloaded from here.

  7. Version 6.1.8 can be downloaded from here.

  8. Version 6.0.10 can be downloaded from here.

  9. Version 5.16.10 can be downloaded from here.

必要なアクション

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the release notes . You can download the latest version of Bitbucket Server & Bitbucket Data Center from the download center.

Upgrade Bitbucket Server & Bitbucket Data Center to version 6.6.0 or higher.


If you can't upgrade to the latest version:

現在のバージョン

…then upgrade to any of these versions

1.x

2.x

3.x

4.x

5.x

5.16.10

6.0.10

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.0.x

6.0.10

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.1.x

6.1.8

6.2.6

6.3.5

6.4.3

6.5.2

6.2.x

6.2.6

6.3.5

6.4.3

6.5.2

6.3.x

6.3.5

6.4.3

6.5.2

6.4.x

6.4.3

6.5.2

6.5.x

6.5.2


問題の軽減策

To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.

The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.


Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.

This hotfix covers:
  • Standard Bitbucket functionality and features

  • Bitbucket Server and Data Center versions 4.0.0 and later

  • Bitbucket Server and Data Center instances

To install the hotfix:

This hotfix is a zero down time installation - No restart is required after installing the hotfix.

  1. Login to Bitbucket with your administrator account

  2. Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“

  3. Select “Upload App” and provide the URL

    https://jira.atlassian.com/secure/attachment/376655/bitbucket-bserv-11896-hotfix-1.0.0.jar

  4. Click “Upload” and wait for the hotfix to install.

If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from https://jira.atlassian.com/browse/BSERV-11947. You are then able to upload the Jar file using the same steps above.

After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.


サポート

このセキュリティ勧告のメールを受け取っていないが今後の受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールに登録してください。

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考

セキュリティ バグの修正ポリシー

アトラシアンの新しいポリシーに記載のとおり、重大なセキュリティ バグ修正は、https://www.atlassian.com/trust/security/bug-fix-policy に応じてバックポートされます。新しいポリシーの対象バージョンについては、バイナリ パッチではなく新しいメンテナンス リリースが提供されます。

バイナリ パッチのリリースは終了しています。 

セキュリティの問題の重大度レベル

アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。

サポート終了ポリシー

 サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 

最終更新日 2019 年 9 月 17 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.