Critical remote code execution vulnerability in Atlassian Bitbucket Data Center: Update immediately

This week Atlassian issued a security report announcing the fix of CVE-2022-26133, a remote code execution vulnerability in Atlassian Bitbucket Data Center, a released code collaboration platform that supports code review, branch office permission management, CICD, and other features.

In its alert, Atlassian notes that several of its products use third-party Hazelcast software, which is vulnerable to Java deserialization attacks; these products use Hazelcast when configured to run as a cluster. The vulnerability exists due to a deserialization error because the Hazelcast interface in Atlassian Bitbucket Data Center does not filter user-entered data as it should.

Unauthenticated threat actors could exploit this flaw by sending specially crafted requests, leading to arbitrary code execution. The flaw only resides in Atlassian Data Centers deployments installed in cluster mode and is considered a critical level security flaw.

According to the report, the following versions of Bitbucket Data Center are affected:

  • All versions >= 5.14.x
  • All versions 6.x
  • All versions 7.x < 7.6.14
  • All versions 7.7.x to 7.16.x
  • 7.17.x <7.17.6
  • 7.18.x <7.18.4
  • 7.19.x <7.19.4
  • 7.20.0

Atlassian noted that Bitbucket Server and Bitbucket Cloud are not affected.  

The company’s security teams released the updated version of Bitbucket Data Center after repairing addressing the bug. If users are unable to apply updates, Atlassian recommends restricting access to the Hazelcast port by using a firewall or other network access controls as a workaround. In addition, the port should only be accessible to other nodes in the Bitbucket or Confluence cluster; remember that for Bitbucket Data Center, Hazelcast uses TCP port 5701 by default.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.