Recently, Atlassian issued a security bulletin to fix a code execution vulnerability in Atlassian Bitbucket Data Center. Atlassian Bitbucket Data Center is a modern code collaboration platform launched by Atlassian, which supports code review, branch permission management, CICD, and other functions.
The vulnerability has been discovered by Benny Jacob (SnowyOwl) and Atlassian assigned CVE-2022-26133 to track it.
In the security advisory, Atlassian says multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. The vulnerability is caused by a deserialization vulnerability because the Hazelcast interface in Atlassian Bitbucket Data Center does not effectively filter user input data.
A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution. This vulnerability is only exploitable when Atlassian Data Centers are installed in Cluster mode. Atlassian rates the severity level of this vulnerability as critical.
Who is Affected?
Atlassian noted that Bitbucket Server and Bitbucket Cloud are not affected by this, but the following versions of Bitbucket Data Center are affected:
- All 5.x versions >= 5.14.x
- All 6.x versions
- All 7.x versions < 7.6.14
- All versions 7.7.x through 7.16.x
- 7.17.x < 7.17.6
- 7.18.x < 7.18.4
- 7.19.x < 7.19.4
The Atlassian team has released the updated version of the Bitbucket Data Center after patching the flaw. Regarding the workaround, Atlassian recommends restricting access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster.
Note that for Bitbucket Data Center, Hazelcast uses TCP port 5701 by default.