Atlassian released patches for two critical vulnerabilities of November 2022 affecting Bitbucket Server, Data Center, and Crowd products. Using a vulnerability assessment tool, these vulnerabilities are tracked as CVE-2022-43781 (Command Injection) and CVE-2022-43782 (Improper Authentication). A Vulnerability Management System can prevent these attacks.
Technical Details of Atlassian Critical Vulnerabilities of November 2022:
CVE-2022-43781 – A Command Injection vulnerability is addressed in Atlassian Bitbucket Server and Data Center in environment variables. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the affected system.
CVE-2022-43782 – An Improper Authentication vulnerability is addressed in Atlassian Crowd in Crowd’s REST API under the user management path. This misconfiguration allows an attacker to connect remotely without providing a password and lets an attacker authenticate as the Crowd Application and call privileged endpoints. Adding the remote IP to an included list of allowed IPs can exploit the vulnerability, which deviates from the default settings.
Atlassian addresses these two critical vulnerabilities in this update.
Affected Versions of Atlassian Critical Vulnerabilities of November 2022:
Atlassian critical vulnerabilities of November 2022 are:
- Atlassian Bitbucket Server and Data Center from 7.0.0 before 7.6.19
- Atlassian Bitbucket Server and Data Center from 7.7.0 before 7.17.12
- Atlassian Bitbucket Server and Data Center from 7.18.0 before 7.21.6
- Atlassian Bitbucket Server and Data Center from 8.0.0 before 8.0.5
- Atlassian Bitbucket Server and Data Center from 8.1.0 before 8.1.5
- Atlassian Bitbucket Server and Data Center from 8.2.0 before 8.2.4
- Atlassian Bitbucket Server and Data Center from 8.3.0 before 8.3.3
- Atlassian Bitbucket Server and Data Center from 8.4.0 before 8.4.2
Note: 8.x version series is only affected if “mesh.enabled” is set to false in “bitbucket.properties”.
- Atlassian Crowd from 3.0.0 before 4.4.4
- Atlassian Crowd from 5.0.0 before 5.0.3
Note: 3.0.0 has reached EOL and hence no version is published to fix the issue in this range.
The solution for Atlassian critical vulnerabilities of November 2022 are:
A definite version is released for the product. 7.6.19, 7.17.12, 7.21.6, 8.0.5, 8.1.5, 8.2.4, 8.3.3, 8.4.2, 8.5.0 or later are fixed versions.
This issue is resolving with the help of Version 4.4.4 and 5.0.3
Some mitigation advice for Atlassian critical vulnerabilities of November 2022:
If you cannot upgrade the Bitbucket instance, disable “Public Signup.” This will reduce the risk of exploitation by changing the attack vector from an unauthenticated attack to an authenticated one.
To disable this setting:
- Go to Administration > Authentication.
- Clear the Allow public sign-up checkbox.
Note : This is a temporary mitigation measure as ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. Therefore, it is recommended to upgrade to a fixed version as soon as possible.
These two critical vulnerabilities are the main focus of the Atlassian patch update.
If you are unable to update the crowd, ensure that you do not configure the crowd application for remote access,
Follow these steps to get a similar result:
- Log in to the Crowd Administration Console.
- In the top navigation bar, click Applications.
- In the Application Browser, click the application name you wish to update.
- In the View Application screen, click the Remote Addresses tab. You will see a list of IP addresses and hostnames currently mapped to the application.
- Remove any remote addresses accordingly.
If a remote IP is necessary, set a strong password for your crowd application. These were the highlights of Atlassian critical vulnerabilities of November 2022.