Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket and CVE-2018-11235 and CVE-2018-11233

Roman Zabicki
Roman Zabicki
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 30, 2018

What versions of bitbucket contain the fixes for these CVEs?

Answer
Watch
Like amit raj likes this
1593 views

4 answers

2 accepted

6 votes
Answer accepted
Daniel
Daniel
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2018

Bitbucket Server running on Windows may be affected by CVE-2018-11233, if you have enabled any of the fsckObjects options ("fetch.fsckObjects", "receive.fsckObjects" or "transfer.fsckObjects") in any of your repositories, or globally for the Bitbucket Server user. For those running on Windows, we recommend updating Bitbucket Server with a patched version of Git. Information on updating Git can be found at https://confluence.atlassian.com/bitbucketserver/installing-and-upgrading-git-776640906.html.

Bitbucket Server itself is not vulnerable to CVE-2018-11235, regardless of platform, but we strongly recommend updating your client Git installations with a patched version of Git. The following versions of Git contain patches for CVE-2018-11233 and CVE-2018-11235:

  •  Git 2.17.1
  • Git 2.16.4
  • Git 2.15.2
  • Git 2.14.4
  • Git 2.13.7

Be aware that the advice found below for enabling transfer.fsckObjects can result in significantly higher disk and CPU usage when servicing clone, fetch, pull and push operations. We recommend monitoring system utilization to ensure the increased load doesn't cause performance issues. Additionally, once you have upgraded all of your Git clients we recommend disabling the transfer.fsckObjects option again.


Additionally, after upgrading to a fixed version of Git on Bitbucket Server, you may want to consider globally enabling the transfer.fsckObjects Git option to help prevent exploitation of vulnerable Git client installations until all clients have been patched.

This can be done by running the following command as the user that Bitbucket Server runs as. 

git config --global --bool transfer.fsckObjects true
View More Comments
Rabh Pandya
Rabh Pandya
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 31, 2018

Is Bitbucket cloud affected by this vulnerability?

Like
Bryan Turner
Bryan Turner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 31, 2018

@Rabh Pandya,

No, Bitbucket Cloud is not affected by either vulnerability. However, for CVE-2018-11235, we still recommend updating client Git versions to ensure they're safe from any malicious repositories that may exist on any of the various hosting platforms.

Best regards,
Bryan Turner
Atlassian Bitbucket

Like
Reply
2 votes
Answer accepted
Caterina Curti
Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 1, 2018

Please refer to the article by the Atlassian Security team on this subject:

- Atlassian Products & Services and CVE-2018-11235 & CVE-2018-11233

 

This covers Bitbucket Server as well as the other Atlassian Products & services.

 

Thanks,

Caterina - Atlassian

Reply
2 votes
Bryan Turner
Bryan Turner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 31, 2018

Just to offer a little clarification, Bitbucket Server itself is not vulnerable to either CVE, and does not need any patches of its own to address them. It's the Git binary installed on the server, which Bitbucket Server uses for various operations, that has the vulnerabilities and should be patched.

For CVE-2018-11235, Bitbucket Server does not use Git in a way that allows the submodules vulnerability to be exploited. (We cannot make any guarantees about what third-party apps installed in Bitbucket Server do, though; we can only say that nothing in the shipped product is exploitable.) As with CVE-2014-9390 from a few years back, the most important response to CVE-2018-11235 is upgrading Git on client systems.

For CVE-2018-11233, Bitbucket Server's default configuration does not use Git in a way that allows the NTFS vulnerability to be exploited. However, system administrators are able to make configuration changes that would render the system vulnerable. Because upgrading Git on Windows is typically quite simple, we recommend everyone running Bitbucket Server on Windows upgrade out of an abundance of caution.

This is just to clarify where the vulnerabilities lie. @Daniel's response remains the solution.

Best regards,
Bryan Turner
Atlassian Bitbucket

Reply
0 votes
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 30, 2018

Hi Roman,

You can find more information on the advisory page.

Bitbucket Server security advisories

View More Comments
Roman Zabicki
Roman Zabicki
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 30, 2018

 

I'll keep an eye on that page. It currently says "Last modified on Mar 1, 2018".

Like
Edwin Kyalangalilwa
Edwin Kyalangalilwa
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 30, 2018

Sounds good. They will update the page accordingly if its an issue.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.