Ambientia's response to CVE-2022-36804 (Command Injection in Bitbucket Server)
Incident Report for Ambientia
This incident has been resolved.
Posted Sep 02, 2022 - 12:39 EEST
On Wednesday 24th of August 2022, 20:00 EEST, Atlassian published a new critical security advisory concerning a security vulnerability in Bitbucket Server. Using this vulnerability, an attacker can execute arbitrary code by sending specifically crafted requests to certain API endpoints. Depending on system configuration, this vulnerability can or cannot be exploited by attackers without credentials.

We have examined Bitbucket Server instances managed by Ambientia and have concluded that our configuration management systems that handle provisioning and configuration of Bitbucker Server instances have for quite some time, by default, set the feature.public.access property to false value, which is the recommended, temporary workaround suggested by Atlassian. Thus any Ambientia managed Bitbucket Server instances are not directly exploitable by outside attackers. However, the vulnerability can still be exploited by attackers who have read-level access to any repository hosted in the Bitbucket Server instance, leaving a possibility of a insider threat open. As a good security practice, we also always recommend upgrade to a fixed version of Atlassian software as a long term solution to security issues of critical rating.

Thus we strongly suggest upgrade of Bitbucket Server to a fixed version in a timely fashion. We will be in touch with our managed services customers regarding the timeline for specific upgrades shortly. For customers that have only acquired Bitbucket Server license through us and in need of assistance with the upgrade, we kindly ask you to get in touch with our sales.

We are monitoring the situation for any possible changes in the recommended mitigations and are prepared to implement them if such a need arises.

You can read the official Atlassian security advisory here:
Posted Aug 25, 2022 - 16:36 EEST