Bitbucket and CVE-2018-11235 and CVE-2018-11233

Roman Zabicki May 30, 2018

What versions of bitbucket contain the fixes for these CVEs?

4 answers

2 accepted

6 votes
Answer accepted
Daniel
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2018

Bitbucket Server running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Bitbucket Server user. For those running on Windows, we recommend updating Bitbucket Server with a patched version of Git. Information on updating Git can be found at https://confluence.atlassian.com/bitbucketserver/installing-and-upgrading-git-776640906.html.

Bitbucket Server itself is not vulnerable to CVE-2018-11235, regardless of platform, but we strongly recommend updating your client Git installations with a patched version of Git. The following versions of Git contain patches for CVE-2018-11233 and CVE-2018-11235:

  •  Git 2.17.1
  • Git 2.16.4
  • Git 2.15.2
  • Git 2.14.4
  • Git 2.13.7

Be aware that the advice found below for enabling transfer.fsckObjects can result in significantly higher disk and CPU usage when servicing clone, fetch, pull and push operations. We recommend monitoring system utilization to ensure the increased load doesn't cause performance issues. Additionally, once you have upgraded all of your Git clients we recommend disabling the transfer.fsckObjects option again.


Additionally, after upgrading to a fixed version of Git on Bitbucket Server, you may want to consider globally enabling the transfer.fsckObjects Git option to help prevent exploitation of vulnerable Git client installations until all clients have been patched.

This can be done by running the following command as the user that Bitbucket Server runs as. 

git config --global --bool transfer.fsckObjects true
Rabh Pandya May 31, 2018

Is Bitbucket cloud affected by this vulnerability?

Bryan Turner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 31, 2018

@Rabh Pandya,

No, Bitbucket Cloud is not affected by either vulnerability. However, for CVE-2018-11235, we still recommend updating client Git versions to ensure they're safe from any malicious repositories that may exist on any of the various hosting platforms.

Best regards,
Bryan Turner
Atlassian Bitbucket

2 votes
Answer accepted
Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 1, 2018

Please refer to the article by the Atlassian Security team on this subject:

- Atlassian Products & Services and CVE-2018-11235 & CVE-2018-11233

 

This covers Bitbucket Server as well as the other Atlassian Products & services.

 

Thanks,

Caterina - Atlassian

2 votes
Bryan Turner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 31, 2018

Just to offer a little clarification, Bitbucket Server itself is not vulnerable to either CVE, and does not need any patches of its own to address them. It's the Git binary installed on the server, which Bitbucket Server uses for various operations, that has the vulnerabilities and should be patched.

For CVE-2018-11235, Bitbucket Server does not use Git in a way that allows the submodules vulnerability to be exploited. (We cannot make any guarantees about what third-party apps installed in Bitbucket Server do, though; we can only say that nothing in the shipped product is exploitable.) As with CVE-2014-9390 from a few years back, the most important response to CVE-2018-11235 is upgrading Git on client systems.

For CVE-2018-11233, Bitbucket Server's default configuration does not use Git in a way that allows the NTFS vulnerability to be exploited. However, system administrators are able to make configuration changes that would render the system vulnerable. Because upgrading Git on Windows is typically quite simple, we recommend everyone running Bitbucket Server on Windows upgrade out of an abundance of caution.

This is just to clarify where the vulnerabilities lie. @Daniel's response remains the solution.

Best regards,
Bryan Turner
Atlassian Bitbucket

0 votes
edwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 30, 2018

Hi Roman,

You can find more information on the advisory page.

Bitbucket Server security advisories

Roman Zabicki May 30, 2018

 

I'll keep an eye on that page. It currently says "Last modified on Mar 1, 2018".

edwin
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 30, 2018

Sounds good. They will update the page accordingly if its an issue.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events