Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

critical security vulnerability that exists in Bitbucket Server

wzohdy
wzohdy September 19, 2019

Dear All,

We have bitbucket (self managed)  version 5.5.1

Is this version impacted with the latest security vulnerability announced?

Answer
Watch
Like Be the first to like this
356 views

1 answer

1 accepted

0 votes
Answer accepted
Christian Glockner
Christian Glockner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 19, 2019

Hi,

all versions of Bitbucket Server (and Stash) before 5.16.10 are also affected by this problem. You can check the advisory at https://confluence.atlassian.com/bitbucketserver/bitbucket-server-security-advisory-2019-09-18-976762635.html for full details.

 

Cheers,

Christian

Premier Support Engineer

Atlassian

View More Comments
wzohdy
wzohdy September 19, 2019

Hi Christian,

Our version is 5.5.1.

I can't find in the advisory list. does this mean it is not affected?

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 19, 2019

Hello,

5.5.1 is affected by the vulnerability.

As there have been many releases of Bitbucket Server over the years, it wasn't going to make for a very readable page to list every version explicitly. In the interest of brevity the advisory's intention:

version < 5.16.10

was for all versions (including 5.5.1) with smaller version numbers than 5.16.10.

Luckily, the mitigation described in the advisory is easy to apply right now while you evaluate upgrading:

To install the hotfix:

This hotfix is a zero down time installation - No restart is required after installing the hotfix.

  1. Login to Bitbucket with your administrator account

  2. Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“

  3. Select “Upload App” and provide the URL

    https://jira.atlassian.com/secure/attachment/376655/bitbucket-bserv-11896-hotfix-1.0.0.jar

  4. Click “Upload” and wait for the hotfix to install.

If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from https://jira.atlassian.com/browse/BSERV-11947. You are then able to upload the Jar file using the same steps above.

After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

Cheers,
Daniel

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events