Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13173

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

    • 10
    • Critical
    • CVE-2022-26133

      Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)

      • Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
      • Note the new CVE assignment does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate

      Vulnerability Details

      Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2022-26133). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.

      Affected Versions

      Bitbucket Server is not affected.
      Bitbucket Cloud is not affected.

      Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

      The following versions are affected:

      • All 5.x versions >= 5.14.x
      • All 6.x versions
      • All 7.x versions < 7.6.14
      • All versions 7.7.x through 7.16.x
      • 7.17.x < 7.17.6
      • 7.18.x < 7.18.4
      • 7.19.x < 7.19.4
      • 7.20.0

      Fixed Versions

      The following versions of Bitbucket Data Center fix this vulnerability:

      • 7.6.14
      • 7.17.6
      • 7.18.4
      • 7.19.4
      • 7.20.1
      • 7.21.0

      Find the versions above on our downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.

      If you are unable to install a fixed version, refer to the “Workaround” section below.

      Workaround

      Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use TCP port 5701 by default.

      Acknowledgements

      We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.

      References

      For more information, please refer to Atlassian's security advisory.

            [BSERV-13173] Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 10.0 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 10.0 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

            Anton Genkin (Inactive) added a comment - - edited

            191574812dcb

            Yes, since Smart Mirrors are just Bitbucket Data Center with a special configuration, they are also vulnerable and have to be updated.

            ddd7a4078c16
            Yes, it breaks rolling upgrades as we had to make a change to fix the cluster authentication mechanism. You won't be able to cross the Bugfix version with rolling upgrade, but it is possible on either side of the fix.

            Anton Genkin (Inactive) added a comment - - edited 191574812dcb Yes, since Smart Mirrors are just Bitbucket Data Center with a special configuration, they are also vulnerable and have to be updated. ddd7a4078c16 Yes, it breaks rolling upgrades as we had to make a change to fix the cluster authentication mechanism. You won't be able to cross the Bugfix version with rolling upgrade, but it is possible on either side of the fix.

            Smart mirrors is affected too?

            Plarium Ukraine added a comment - Smart mirrors is affected too?

            Why does this break rolling upgrades and when will that be fixed?

            Adam Raitanen added a comment - Why does this break rolling upgrades and when will that be fixed?

            Ed Arias added a comment -

            Disabled hazelcast via $BITBUCKET_HOME/shared/bitbucket.properties file.  As stated in Atlassian documentation,

            "When not in use (for non-Data Center implementations or if hazelcast.network.multicast has been set to false in your bitbucket.properties file) Bitbucket intercepts any attempts to connect to that port and rejects those attempts."

             

            Doc reference:

            https://confluence.atlassian.com/bitbucketserverkb/which-ports-does-bitbucket-server-listen-on-and-what-are-they-used-for-806029586.html

            https://docs.hazelcast.com/imdg/4.0/clusters/network-configuration

            Ed Arias added a comment - Disabled hazelcast via $BITBUCKET_HOME/shared/bitbucket.properties file .  As stated in Atlassian documentation, "When not in use (for non-Data Center implementations or if hazelcast.network.multicast has been set to false in your bitbucket.properties file) Bitbucket intercepts any attempts to connect to that port and rejects those attempts."   Doc reference: https://confluence.atlassian.com/bitbucketserverkb/which-ports-does-bitbucket-server-listen-on-and-what-are-they-used-for-806029586.html https://docs.hazelcast.com/imdg/4.0/clusters/network-configuration

            Frank Hess added a comment -

            I was always wondering why the firewall aspect is treated as optional in the cluster nodes requirements:

            Cluster nodes requirements
            Each node does not need to be identical, but for consistent performance we recommend they are as close as possible. All cluster nodes must:
            ...
            (optional) it's good practice to use a firewall and/or network segregation to make sure that only specific nodes are allowed to connect to a Bitbucket cluster node's Hazelcast port, which by default is port 5701. This is optional, as password is used to authenticate the nodes
            

             
            https://confluence.atlassian.com/bitbucketserver/clustering-with-bitbucket-776640164.html#ClusteringwithBitbucket-Clusternodesrequirements

            In this context please remove the optional .

            Frank Hess added a comment - I was always wondering why the firewall aspect is treated as optional in the cluster nodes requirements: Cluster nodes requirements Each node does not need to be identical, but for consistent performance we recommend they are as close as possible. All cluster nodes must: ... (optional) it 's good practice to use a firewall and/or network segregation to make sure that only specific nodes are allowed to connect to a Bitbucket cluster node' s Hazelcast port, which by default is port 5701. This is optional, as password is used to authenticate the nodes   https://confluence.atlassian.com/bitbucketserver/clustering-with-bitbucket-776640164.html#ClusteringwithBitbucket-Clusternodesrequirements In this context please remove the optional .

            Is 5.14 the only affected version or is is all versions that are not part of the listed fix versions?

            Timothy McClain added a comment - Is 5.14 the only affected version or is is all versions that are not part of the listed fix versions?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: