Last updated at Mon, 26 Sep 2022 14:29:02 GMT
On August 24, 2022, Atlassian published an advisory for Bitbucket Server 和 Data Center 提醒用户 cve - 2022 - 36804. The advisory reveals a comm和 injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with 阅读权限 to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. cve - 2022 - 36804 carries a CVSSv3 score of 9.而且很容易被利用. Rapid7’s vulnerability research team has a full technical analysis in AttackerKB, including how to use cve - 2022 - 36804 to create a simple reverse shell.
据Shodan说, 大约有1个,400台面向internet的服务器, but it’s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022年(编辑:见下文注释), but there has been strong interest in the vulnerability from researchers 和 exploit brokers, 和 there are now multiple public exploits available. Because the vulnerability is trivially exploitable 和 the patch is relatively simple to reverse- engineer, it’s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of cve - 2022 - 36804 soon.
注意: Several threat intelligence sources 报道 seeing exploitation attempts in the wild as of September 23, 2022.
受影响的产品:
Bitbucket Server 和 Data Center 7.6在7之前.6.17
Bitbucket Server 和 Data Center 7.17在7之前.17.10
Bitbucket Server 和 Data Center 7.21在7之前.21.4
Bitbucket Server 和 Data Center 8.0到8.0.3
Bitbucket Server 和 Data Center 8.1在8之前.1.3
Bitbucket Server 和 Data Center 8.2在8之前.2.2
Bitbucket Server 和 Data Center 8.3在8之前.3.1
缓解指导
Organizations that use Bitbucket Server 和 Data Center in their environments should patch as quickly as possible 使用Atlassian的指南, without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to cve - 2022 - 36804 with an unauthenticated vulnerability check in the September 20, 2022年内容发布(ContentOnly-content-1.1.2653-202209202050).
一个检测规则, Suspicious Process - Atlassian BitBucket Spawns Suspicious Comm和s, was deployed to InsightIDR around 10am ET on September 22, 2022.
更新
September 22, 2022 10:00AM ET
Updated Rapid7客户 section to include information on a new IDR detection rule.
September 26, 2022 10:30 AM EDT
Updated to reflect reports of exploitation in the wild.
更多阅读:
