Shulou(Shulou.com)06/01 Report--

This article introduces you how to notify Bitbucket services and remote code execution vulnerabilities in the data center. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

0x00 vulnerability background

On January 17, 2020, 360CERT Monitoring and January 15, 2020 Bitbucket officially issued a security notice, which contains three remote code execution vulnerabilities, the vulnerability level is serious.

Bitbucket is a web-based version library hosting service provided by ATLASSIAN, which supports Mercurial and Git version control systems. This security announcement exposes three remote code execution vulnerabilities:

CVE-2019-15010

CVE-2019-20097

CVE-2019-15012

An attacker can exploit the above vulnerabilities by constructing a specific attack payload, which can be successfully exploited to execute arbitrary commands on the victim's Bitbucket server or data center.

360CERT judges that the vulnerability level is high and the damage area / influence area is wide. It is recommended that users using Bitbucket Server and Data Center install the latest patches in time to avoid hacking attacks.

0x01 vulnerability details 1. CVE-2019-15010

This vulnerability affects Bitbucket Server and Data Center products since 3.0.0. Attackers can use accounts with user-level privileges to construct malicious attack payloads as user input for remote attacks. Upon successful exploitation, an attacker can execute arbitrary commands on the victim's Bitbucket Server or Data Center instance.

2. CVE-2019-20097

This vulnerability affects Bitbucket Server and Data Center products since 1.0.0. When an attacker has the right to clone files and can push files to the victim's Bitbucket Server and Data Center instances, exploit this vulnerability by pushing files containing specially crafted content to the victim's instance. Upon successful exploitation, an attacker can execute arbitrary commands on the victim's Bitbucket Server or Data Center instance.

3. CVE-2019-15012

This vulnerability affects versions of Bitbucket Server and Data Center that are higher than or equal to 4.13. When an attacker has write access to a project repository, he can write arbitrary files on Bitbucket Server and Data Center instances running with write privileges. In some cases, it may result in remote code execution, resulting in arbitrary command execution.

0x02 affected version CVE number affected version CVE-2019-15010

Version 3.x.x < 5.16.11

Version 6.0.x < 6.0.11

Version 6.1.x < 6.1.9

Version 6.2.x < 6.2.7

Version 6.3.x < 6.3.6

Version 6.4.x < 6.4.4

Version 6.5.x < 6.5.3

Version 6.6.x < 6.6.3

Version 6.7.x < 6.7.3

Version 6.8.x < 6.8.2

Version 6.9.x < 6.9.1

CVE-2019-20097

Version 1.x.x < 5.16.11

Version 6.0.x < 6.0.11

Version 6.1.x < 6.1.9

Version 6.2.x < 6.2.7

Version 6.3.x < 6.3.6

Version 6.4.x < 6.4.4

Version 6.5.x < 6.5.3

Version 6.6.x < 6.6.3

Version 6.7.x < 6.7.3

Version 6.8.x < 6.8.2

Version 6.9.x < 6.9.1

CVE-2019-15012

Version 4.13.x < 5.16.11

Version 6.0.x < 6.0.11

Version 6.1.x < 6.1.9

Version 6.2.x < 6.2.7

Version 6.3.x < 6.3.6

Version 6.4.x < 6.4.4

Version 6.5.x < 6.5.3

Version 6.6.x < 6.6.3

Version 6.7.x < 6.7.3

Version 6.8.x < 6.8.2

Version 6.9.x < 6.9.1

0x03 repair recommendation General repair recommendation

1. Upgrade Bitbucket Server or Data Center to the latest version (6.9.1). You can download the latest version from the official website:

Https://www.atlassian.com/software/bitbucket/download

two。 If you cannot upgrade to the latest version, you can upgrade to the following version that contains vulnerability patches based on the existing version:

The current version corresponds to the bug fix version 1.xxdiary 2.xxdiary 3.xxmeme 4.xx or 5.xx5.16.116.0.x6.0.116.1.x6.1.96.2.x6.2.76.3.x6.3.66.4.x6.4.46.5.x6.5.36.6.x6.6.36.7.x6.7.36.8.x6.8.2

The fix version can be downloaded from this address:

Https://www.atlassian.com/software/bitbucket/download-archives

Temporary repair scheme

If you cannot upgrade Bitbucket Server and Data Center immediately for CVE-2019-15012, you can disable the file editing feature by following these steps:

In bitbucket.properties

Set up feature.file.editor=false

There is no known workaround for CVE-2019-15010 or CVE-2019-20097, so please upgrade the version as soon as possible.

This is the end of the announcement on how to carry out Bitbucket services and remote code execution vulnerabilities in the data center. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.