Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)
- Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
- Note the new CVE assignment does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate
Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2022-26133). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.
Bitbucket Server is not affected.
Bitbucket Cloud is not affected.
Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.
The following versions are affected:
- All 5.x versions >= 5.14.x
- All 6.x versions
- All 7.x versions < 7.6.14
- All versions 7.7.x through 7.16.x
- 7.17.x < 7.17.6
- 7.18.x < 7.18.4
- 7.19.x < 7.19.4
The following versions of Bitbucket Data Center fix this vulnerability:
If you are unable to install a fixed version, refer to the “Workaround” section below.
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use TCP port 5701 by default.
We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
For more information, please refer to Atlassian's security advisory.