-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
5.14.0
-
None
-
10
-
Critical
-
CVE-2022-26133
Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)
- Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
- Note the new CVE assignment does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate
Vulnerability Details
Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2022-26133). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.
Affected Versions
Bitbucket Server is not affected.
Bitbucket Cloud is not affected.
Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.
The following versions are affected:
- All 5.x versions >= 5.14.x
- All 6.x versions
- All 7.x versions < 7.6.14
- All versions 7.7.x through 7.16.x
- 7.17.x < 7.17.6
- 7.18.x < 7.18.4
- 7.19.x < 7.19.4
- 7.20.0
Fixed Versions
The following versions of Bitbucket Data Center fix this vulnerability:
- 7.6.14
- 7.17.6
- 7.18.4
- 7.19.4
- 7.20.1
- 7.21.0
Find the versions above on our downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.
If you are unable to install a fixed version, refer to the “Workaround” section below.
Workaround
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use TCP port 5701 by default.
Acknowledgements
We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
References
For more information, please refer to Atlassian's security advisory.
- relates to
-
CONFSERVER-78179 Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750
- Closed
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...