Bitbucket Server Security Advisory 2020-01-15

Bitbucket Server and Data Center - Remote Code Execution (RCE) Vulnerabilities

要約

January 2020 Bitbucket Server and Data Center Advisory - Remote Code Execution (RCE) vulnerabilities.

勧告のリリース日

 10 AM PDT (Pacific Time, -7 hours)

製品

Bitbucket Server

Bitbucket Data Center

Affected Bitbucket Server and Data Center Versions

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
  • All 5.x.x versions before 5.16.11
  • All 6.0.x versions before 6.0.11
  • 6.1.9 よりも前のすべての 6.1.x バージョン
  • 6.2.7 よりも前のすべての 6.2.x バージョン
  • 6.3.6 よりも前のすべての 6.3.x バージョン
  • 6.4.4 よりも前のすべての 6.4.x バージョン
  • 6.5.3 よりも前のすべての 6.5.x バージョン
  • 6.6.3 よりも前のすべての 6.6.x バージョン
  • 6.7.3 よりも前のすべての 6.7.x バージョン
  • 6.8.2 よりも前のすべての 6.8.x バージョン
  • All 6.9.x versions before 6.9.1

Fixed Bitbucket Server and Data Center Versions

  • Version 5.16.11 for versions 1.x.x to 5.x.x
  • Version 6.0.11 for versions 6.0.x
  • Version 6.1.9 for versions 6.1.x
  • Version 6.2.7 for versions 6.2.x
  • Version 6.3.6 for versions 6.3.x
  • Version 6.4.4 for versions 6.4.x
  • Version 6.5.3 for versions 6.5.x
  • Version 6.6.3 for versions 6.6.x
  • Version 6.7.3 for versions 6.7.x
  • Version 6.8.2 for versions 6.8.x
  • Version 6.9.1 for versions 6.9.x
CVE ID
  • CVE-2019-15010
  • CVE-2019-20097
  • CVE-2019-15012


脆弱性の概要

This advisory discloses critical severity security vulnerabilities in the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions").

Customers who have downloaded and installed any of the Bitbucket Server and Data Center versions listed above ("Affected Bitbucket Server and Data Center Versions") are affected.

Please upgrade your Bitbucket Server and Data Center installations immediately to fix this vulnerability.

Customers using Bitbucket Cloud are not affected.

Bitbucket Smart Mirrors are not affected.

Customers who have upgraded Bitbucket Server and Data Center to versions 5.16.11, 6.0.11, 6.1.9, 6.2.7, 6.3.6, 6.4.4, 6.5.3, 6.6.3, 6.7.3, 6.8.2, 6.9.1 or higher are not affected.

Remote Code Execution (RCE) via certain user input fields - CVE-2019-15010

深刻度

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

Bitbucket Server and Data Center versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server or Data Center instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12098 - Getting issue details... STATUS

謝辞

Credit for finding this vulnerability goes to voidfyoo of Chaitin Tech.

Remote Code Execution (RCE) via post-receive hook - CVE-2019-20097

深刻度

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

Bitbucket Server and Data Center versions starting from 1.0.0 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Data Center systems, using a file with specially crafted content.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12099 - Getting issue details... STATUS

謝辞

Credit for this finding goes to thanat0s from Chaitin Tech.

Remote Code Execution (RCE) via edit-file request - CVE-2019-15012

深刻度

Atlassian has given this vulnerability critical CVSS score. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。

説明

Bitbucket Server and Data Center versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victim's Bitbucket Server or Data Center instance using the edit-file endpoint, if the user Bitbucket Server or Data Center is running as has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x), 
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x), 
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x), 
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x), 
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x), 
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x), 
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x), 
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

This issue can be tracked here:  BSERV-12100 - Getting issue details... STATUS

謝辞

Credit for this finding goes to the Atlassian Bitbucket Server and Data Center development team.



修正

To address these issues, we have released Bitbucket Server and Data Center version:

  • 5.16.11 that contains a fix for these issues.
  • 6.0.11 that contains a fix for these issues.
  • 6.1.9 that contains a fix for these issues.
  • 6.2.7 that contains a fix for these issues.
  • 6.3.6 that contains a fix for these issues.
  • 6.4.4 that contains a fix for these issues.
  • 6.5.3 that contains a fix for these issues.
  • 6.6.3 that contains a fix for these issues.
  • 6.7.3 that contains a fix for these issues.
  • 6.8.2 that contains a fix for these issues.
  • 6.9.1 that contains a fix for these issues.

These versions can be downloaded at https://www.atlassian.com/software/bitbucket/download-archives, with the latest version at https://www.atlassian.com/software/bitbucket/download.

必要なアクション

Atlassian recommends that you upgrade to the latest version (6.9.1). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket Server and Data Center from the Atlassian website.


最新バージョン (6.9.1) にアップグレードできない場合は、以下を実行してください。

If you have feature version…

…then upgrade to this bugfix version:

1.x.x, 2.x.x, 3.x.x, 4.x.x or 5.x.x

5.16.11

6.0.x

6.0.11
6.1.x6.1.9
6.2.x6.2.7
6.3.x6.3.6
6.4.x6.4.4
6.5.x6.5.3
6.6.x6.6.3
6.7.x6.7.3
6.8.x6.8.2


問題の軽減策

If you are unable to upgrade Bitbucket server or Data Center immediately, then as a temporary workaround, you can follow the following steps:

There are no known workarounds for CVE-2019-15010 or CVE-2019-20097, so it's important to upgrade to a fixed version as soon as possible.

サポート

このアドバイザリのメールを受信していないため今後の受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールにご登録ください。

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考

セキュリティ バグ修正ポリシー

アトラシアンの新しいポリシーに記載のとおり、重大なセキュリティ バグ修正は、https://www.atlassian.com/trust/security/bug-fix-policy に応じてバックポートされます。新しいポリシーの対象バージョンについては、バイナリ パッチではなく新しいメンテナンス リリースが提供されます。

バイナリ パッチのリリースは終了しています。 

セキュリティの問題の重大度レベルアトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。
サポート終了ポリシーサポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 
最終更新日: 2020 年 1 月 28 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.