Security Issues for Bitbucket Data Center

Atlassian has announced that Bitbucket Data Center instances, may be at risk after a series of security issues were detected. Below you will find information on each of the security issues identified by Atlassian, as well as confirmation as to whether or not you and your versions are affected.

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 5.13.0 of Bitbucket Data Center. 

The following Bitbucket Data Center versions are affected by this vulnerability:

• 5.13.0 up to and including 5.13.5
• 5.14.0 up to and including 5.14.3
• 5.15.0 up to and including 5.15.2
• 5.16.0 up to and including 5.16.2
• 6.0.0 up to and including 6.0.2
• 6.1.0 up to and including 6.1.1
  
  

Customers who have upgraded Bitbucket Data Center to these versions are not affected:

• 5.13.6, 
• 5.14.4, 
• 5.15.3, 
• 5.16.3, 
• 6.0.3 or 
• 6.1.2

What Atlassian suggests you to do to fix this issue?

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Data Center, see the release notes. You can download the latest version of Bitbucket Data Center from the download Center.

Upgrade Bitbucket Data Center to version 6.1.2 or higher.

If you are running Bitbucket Data Center 5.13.x and cannot upgrade to 6.1.2  then upgrade to version 5.13.6.

If you are running Bitbucket Data Center 5.14.x and cannot upgrade to 6.1.2 then upgrade to version 5.14.4.

If you are running Bitbucket Data Center 5.15.x and cannot upgrade to 6.1.2 then upgrade to version 5.15.3.

If you are running Bitbucket Data Center 5.16.x and cannot upgrade to 6.1.2 then upgrade to version 5.16.3.

If you are running Bitbucket Data Center 6.0.x and cannot upgrade to 6.1.2 then upgrade to version 6.0.3.

What Atlassian suggests you can do to mitigate risk in the short term?

The import functionality can be disabled via a feature flag, which would mitigate this vulnerability. This can be done by setting the property feature.data.center.migration.import=false in bitbucket.properties. Note that the export functionality would still work in this case.

If an import task still needs to be run, enable the feature on an isolated cluster node (inaccessible by users and admins but still connected to the cluster and accessible by sysadmins) with a node-local bitbucket.properties file where the property feature.data.center.migration.import=true is set. Imports can then be started by talking to this node directly while it would still be disabled on other nodes.