Atlassian have just announced CRITICAL security vulnerabilities in the following products: Bitbucket Server & Bitbucket Data Center, Jira Server & Jira Data Center, and Jira Service Desk & Jira Service Desk Data Center.
Summary of Vulnerabilities
Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands. This could lead to remote code execution, where attackers can exploit the argument injection vulnerability if they manage to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, attackers can anonymously exploit the issue.
All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability.
Jira Server & Jira Data Center
There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with “JIRA Administrators” access can exploit this issue. Successful exploitation of this issue means that an attacker can remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x), and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.
Jira Service Desk Server & Jira Service Desk Data Center
JSD gives customer portal users permission by design to only raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by a remote attacker with portal access who exploits a path traversal vulnerability. Note, attackers can grant themselves access to JSD projects that have enabled the setting where anyone can email the service desk or raise a request in the portal. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include JSD projects, Jira Core projects, and Jira Software projects.
All versions of Jira Service Desk before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and 4.4.0 are affected by this vulnerability.
What you need to do
Atlassian recommend upgrading all of the above products over to the latest version as soon as possible, releases containing fixes are already available to download.
If you’re running Enterprise releases, then the upgrade will be a minor patch version from the one you are currently on. If you are on a standard release, then you will need to install a later version which may also introduce other functional changes.
Don’t forget that the Clearvision services team are available to assist you in performing upgrades, or if you are interested in making upgrades and security warnings someone else’s problem, then our ClearHost solution can take care of your tools platform, allowing you to get on with your day job.