Scribd Logo
Upload

Welcome to Scribd!

  • TAM GitBufferOverflowinMultipleProducts CVE 2022 41903, CVE 2022 23521 130223 0733

    Uploaded by

    Ivo Sandoval
    3 views4 pages
    This advisory addresses two critical security vulnerabilities in Git that affect multiple Atlassian products, including Bitbucket Server, Bamboo Server, Fisheye, and Crucible. The vulnerabilities could allow remote code execution if exploited. All versions of the affected products are vulnerable. Customers are advised to upgrade to patched versions of Git and the Atlassian products.

    Original Description:

    Original Title

    TAM-GitBufferOverflowinMultipleProducts-CVE-2022-41903,CVE-2022-23521-130223-0733

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This advisory addresses two critical security vulnerabilities in Git that affect multiple Atlassian products, including Bitbucket Server, Bamboo Server, Fisheye, and Crucible. The vulnerabilities could allow remote code execution if exploited. All versions of the affected products are vulnerable. Customers are advised to upgrade to patched versions of Git and the Atlassian products.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views4 pages

    TAM GitBufferOverflowinMultipleProducts CVE 2022 41903, CVE 2022 23521 130223 0733

    Uploaded by

    Ivo Sandoval
    This advisory addresses two critical security vulnerabilities in Git that affect multiple Atlassian products, including Bitbucket Server, Bamboo Server, Fisheye, and Crucible. The vulnerabilities could allow remote code execution if exploited. All versions of the affected products are vulnerable. Customers are advised to upgrade to patched versions of Git and the Atlassian products.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Git Buffer Overflow in Multiple Products -

    CVE-2022-41903, CVE-2022-23521

    Summary Git Buffer Overflow in Multiple Products

    Advisory Release Date 15 Feb 2023 10:00 AM PDT (Pacific Time, -7 hours)

    Affected Products Bitbucket Server and Data Center


    Bamboo Server and Data Center
    Fisheye
    Crucible
    Sourcetree

    Atlassian Cloud sites are not affected.


    Fixes have been deployed to Atlassian Cloud sites. If your Atlassian site is accessed via a b
    itbucket.org or an atlassian.net domain, it is an Atlassian Cloud site.

    Affected Versions All versions of Bitbucket Server and Bitbucket Data Center are affected.
    All versions of Bamboo Server and Bamboo Data Center are affected.
    All versions of Fisheye are affected.
    All versions of Crucible are affected.
    All versions of Sourcetree for Mac and Windows are vulnerable.

    Fixed Versions Atlassian recommends customers upgrade to the latest patched and supported version of Git
    available. See specific instructions for each application in the respective sections below.

    CVE ID(s) CVE-2022-41903


    CVE-2022-23521

    As TAM customers we provide you with early notice of critical security vulnerabilities. Please note this information will not be released publicly until 15
    Feb 2023 at 10:00 AM PDT (Pacific Time, -7 hours) and that this information is embargoed until that public release. We provide this advanced
    notification to allow you time to act to upgrade or otherwise secure your systems quickly. Please let us know if you have any questions.

    Summary of Vulnerabilities
    This advisory addresses a pair of critical security vulnerabilities in Git that affect multiple Atlassian products.

    CVE-2022-41903 - Heap overflow in git archive, git log --format

    Git Security Advisory - CVE-2022-41903

    git log has the ability to display commits using an arbitrary format with its --format specifiers. This functionality is also exposed to git archive
    via the export-subst gitattribute.
    When processing the padding operators for formatting (e.g., %<(, %<|(, %>(, >>(, or %><(), an integer overflow can occur. This overflow can be
    triggered directly by a user running a command that invokes the commit formatting machinery, or indirectly through git archive and the export-
    subst mechanism.
    The integer overflow results in arbitrary heap writes, which may result in remote code execution.

    CVE-2022-23531 - gitattributes parsing integer overflow

    Git Security Advisory - CVE-2022-23521

    gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository,
    which contains a set of file patterns and the attributes that should be set for paths matching this pattern.
    When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single
    pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted .gitattributes file that may be part of the
    commit history.
    This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.

    Severity
    Confidential Atlassian | Technical Account Management Page 1 of 4
    Severity
    Atlassian rates the severity level of these vulnerabilities as critical, according to the scale published in our Atlassian severity levels. The scale allows us
    to rank the severity as critical, high, moderate or low.
    This is our assessment and you should evaluate its applicability to your own IT environment.

    Affected Products
    Git has released patches for both vulnerabilities for versions >= v2.30.7

    Bitbucket Server and Data Center

    Affected Versions
    All versions of Bitbucket Server and Bitbucket Data Center are affected.

    Patch Recommendations

    Git Configuration Recommendation

    For customers providing Git Atlassian recommends customers upgrade to the latest patched and supported version of Git
    themselves available.
    Please refer to the supported platforms page for a particular version of Bitbucket to find if it
    supports Git v2.30.7+.
    Customers using versions of Bitbucket Server and Data Center < 7.9 will need to upgrade
    Bitbucket to a later version to support a patched version of Git.
    However, for customers running Bitbucket 7.6, the Bitbucket Team has tested and confirmed
    that Git v2.30.7 should work.

    For customers using a All images in the support lifecycle for Bitbucket have been updated to use a patched version of
    Bitbucket Docker Image Git.
    Please re-download the images to pull the latest changes.
    Similarly, customers that pin a Bitbucket image to a hash need to update to the latest hash
    version associated with the respective image tag.

    For customers using Git for The Bitbucket team has released version v7.21.9, which adds support for Git v2.39.x.
    Windows Please update to the latest patched and supported version of Git available.
    Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

    Bamboo Server and Data Center

    Affected Versions
    All versions of Bamboo are affected.

    Patch Recommendations

    Git Configuration Recommendation

    For customers providing Git Atlassian recommends customers update Git at the Bamboo server and remote agents to the
    themselves latest patched and supported version available.
    Please refer to the supported platforms page for a particular version of Bamboo to see if it
    supports Git v2.30.7+

    For customers using a All images in the support lifecycle have been updated to use a patched version of Git.
    Bamboo Docker Image Please re-download the images to pull the latest changes.

    Confidential Atlassian | Technical Account Management Page 2 of 4


    Similarly, customers that pin a Bamboo image to a hash need to update to the latest hash
    version associated with the respective image tag.

    For customers using Elastic New AMIs have been prepared with a patched Git Version for Linux and Windows in
    Bamboo supported regions in the upcoming Bamboo 9.1.3 release. Customers not wanting to wait for
    the release can add a line to update Git in the image startup script at the existing image
    configuration screen or download and use the AMIs before the official release..

    For customers using Git for Please update to the latest version of Git for Windows
    Windows Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

    Fisheye Server

    Affected Versions
    All versions of Fisheye are affected.

    Patch Recommendations

    Git Configuration Recommendation

    For customers providing Git Atlassian recommends customers upgrade to the latest patched and supported version of Git
    themselves available.
    Please refer to the supported platforms page for a particular version of Fisheye to see if it
    supports Git v2.30.7+

    For customers using a Fisheye All images in the support lifecycle have been updated to use a patched version of Git.
    Docker Image Please re-download the images to pull the latest changes.
    Similarly, customers that pin a Fisheye image to a hash need to update to the latest hash
    version associated with the respective image tag.

    For customers using Git for Please update to the latest version of Git for Windows
    Windows Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

    Crucible Server

    Affected Versions
    All versions of Crucible are affected

    Patch Recommendations

    Git Configuration Recommendation

    For customers providing Git Atlassian recommends customers upgrade to the latest patched and supported version of Git
    themselves available.
    Please refer to the supported platforms page for a particular version of Fisheye to see if it
    supports Git v2.30.7+

    For customers using a All images in the support lifecycle have been updated to use a patched version of Git.
    Crucible Docker Image Please re-download the images to pull the latest changes.
    Similarly, customers that pin a Crucible image to a hash need to update to the latest hash
    version associated with the respective image tag.

    For customers using Git for Please update to the latest version of Git for Windows
    Windows Currently, Git for Windows does not have plans to backport fixes for these vulnerabilities.

    Confidential Atlassian | Technical Account Management Page 3 of 4


    Sourcetree

    Affected Versions
    All versions of Sourcetree for Mac and Windows are vulnerable.

    Fixed Versions
    The Sourcetree team is actively working on updating embedded Git binaries to v2.39.1 for the next product release version.

    Mac: v4.2.2
    Windows: v3.4.12

    Mitigation
    While the Sourcetree team is working on updating the embedded Git binary, we recommend customers switch Sourcetree to use a patched system Git
    version.

    References
    Security Bug fix Policy As per our new policy critical security bug fixes will be back
    ported in accordance with https://www.atlassian.com/trust
    /security/bug-fix-policy . We will release new maintenance
    releases for the versions covered by the policy instead of binary
    patches.
    Binary patches are no longer released.

    Severity Levels for security issues Atlassian security advisories include a severity level and a CVE
    identifier. This severity level is based on our self-calculated
    CVSS score for each specific vulnerability. CVSS is an industry
    standard vulnerability metric. You can also learn more about
    CVSS at FIRST.org.

    End of Life Policy Our end of life policy varies for different products. Please refer
    to our EOL Policy for details.

    Confidential Atlassian | Technical Account Management Page 4 of 4

    You might also like