How to Fix CVE-2022-36804- A Command Injection Vulnerability in Bitbucket Server and Data Center

Australian software company Atlassian bells users to immediately patch a critical vulnerability, CVE-2022-36804, providing remote hackers with access to a public repository or with read permissions to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. The warning is necessary because attacks with a valid Bitbucket login read-only account could leverage it to perform remote code execution on Bitbucket Server and Data Center. There is a need to fix the issue; therefore, this article will highlight how to Fix CVE-2022-36804- A Command injection vulnerability in Bitbucket Server and Data Center.

A Short Note About Bitbucket:

Bitbucket is a web-based version control repository hosting service owned by Atlassian, for source code and development projects that use either Mercurial (since launch) or Git (since October 2011) revision control systems. Bitbucket offers both commercial plans and free accounts. It has a sister services, Bitbucket Cloud, Bitbucket Server, and Bitbucket Data Center, running on customer’s premises.

Bitbucket is similar to GitHub and GitLab. All three offer free accounts with unlimited private repositories (although Bitbucket has a limit of five users for free plans), as well as paid accounts for users and organizations. Paid plans vary by the number of users, features, and support.

Bitbucket integrates with other Atlassian products such as JIRA, HipChat, and Bamboo. Bitbucket also offers a REST API that can be used to access repositories, users, groups, and events from outside of the Bitbucket web interface.

Some of the features offered by Bitbucket are:

Bitbucket Cloud:

In September 2010, Atlassian launched Bitbucket Cloud, a service that allows users to host their Mercurial and Git repositories in the cloud. Bitbucket Cloud is a cloud-based version of Bitbucket Server hosted on Atlassian cloud servers that can be accessible via a bitbucket.org domain from anywhere over the internet.

Bitbucket Server:

Bitbucket Server is a self-hosted version of Bitbucket Cloud that runs on customer servers. Bitbucket Server is available for download from the Atlassian website. Bitbucket Server requires a MySQL database and an application server such as Tomcat, JBoss, or WebLogic.

Bitbucket Data Center:

Bitbucket Data Center is a version of Bitbucket Server designed for organizations with large numbers of users and repositories. Bitbucket Data Center is available as a downloadable virtual appliance from the Atlassian website. The appliance includes Bitbucket Server, MySQL, Apache, and all of the other software required to run Bitbucket Data Center.

Summary of CVE-2022-36804:

This is a command injection vulnerability in Bitbucket Server and Data Center, which is stemmed from REST API service that can be used to access repositories, users, groups, and events from outside of the Bitbucket web interface.

The issue is being tracked as CVE-2022-36804 is rated with a severity level of this flaw as ‘critical’ as per Atlassian. Let’s see some information about the vulnerability and how to fix the CVE-2022-36804 vulnerability in the coming sessions.

Atlassian said, “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” – Atlassian

Important points to know about CVE-2022-36804 (A Command injection vulnerability in Bitbucket Server and Data Center):

Bitbucket Server And Data Center Versions Affected By CVE-2022-36804:

This issue affects all the Bitbucket Server and Data Center versions from v7.0.0 to v8.3.0. Here is the full list of versions affected by CVE-2022-36804.

7.0.0, 7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.21.0, 7.17.6, 7.19.4, 7.20.1, 7.21.1, 7.6.15, 7.17.7, 7.19.5, 7.20.2, 7.17.8, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.6.16, 7.21.2, 7.17.9, 7.20.3, 7.21.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0.

If you have been using the Bitbucket Mesh nodes, then you should see the corresponding version of Mesh those are prone to this issue. Please check the compatibility matrix to match the Mesh versions with the corresponding Data Center version. If you are not sure that Bitbucket Mesh is configured, then login to your Bitbucket instance with an administrator account. Navigate to Administration > Bitbucket Mesh. You will be greeted with a list of Mesh nodes if your Bitbucket instance is configured with Mesh. If not, you can leave this step.

How to Fix CVE-2022-36804- A Command Injection Vulnerability in Bitbucket Server and Data Center?

Atlassian responded to this flaw by releasing patched versions of Bitbucket Server and Data Center. Atlassian recommends upgrading vulnerable versions to any of the fixed versions. Please see the table below to know the fixed versions of Bitbucket Server and Data Center. If you want to download the latest versions of Bitbucket Server and Data Center, you can get it from the download center.

If in case, you are not in a position to upgrade Bitbucket Server and Data Center any time soon, you should disable the public access of repositories globally by setting feature.public.access=false until you permanently fix the issue. This would work as a roadblock and soften the attack intensity. This doesn’t mean you are covered from the attack. This just hardens the attack vector from an unauthorized to an authorized attack.

By considering all these aspects, it is clear that even if your repositories are not public, your instances are prone to attacks unless you use the cloud version of Bitbucket. Upgradation is the only way to fix the CVE-2022-36804 vulnerability. Let’s see how to Upgrade Bitbucket Server and Data Center in the coming section.

How to Upgrade Bitbucket Server and Data Center?

Follow these steps to upgrade your Bitbucket Server. If you want to know the upgradation procedure of the data center, you can visit here. There is an alternate way to upgrade Bitbucket without downtime. Click here to learn the official procedure.

Before you start, you need to ask the answer yourselves to the following question. If not sure, create a test environment and run the tests as many times you want until you are clear with all answers to your questions. Additionally, don’t forget to do pre-checks and take backup once you are ready for the upgrade. 

Step 1. Download the Bitbucket Server upgrade installer file

Download the latest versions of Bitbucket Server from the download center.

Step 2. Stop the Bitbucket Server application

To stop Bitbucket Server application from Linux CLI, change to the <Bitbucket Server installation directory> and run this below command:

# bin/stop-bitbucket.sh

Step 3. Run the downloaded installer

Change to the directory where you downloaded the Bitbucket Server installer file then execute this command to make the installer executable: 

# chmod +x atlassian-bitbucket-x.x.x-x64.bin

Run this command to execute the installer file.

# sudo ./atlassian-bitbucket-x.x.x-x64.bin

Step 4. Complete the installation/upgradation procedure

At the ‘Welcome’ step, choose the type of instance to upgrade and at the ‘Select Bitbucket Server Home’ step, select your existing home directory. Proceed with the remaining installer steps to complete the installation/upgradation procedure.

We hope this post would help you know how to Fix CVE-2022-36804- A Command injection vulnerability in Bitbucket Server and Data Center. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.