Atlassian Bitbucket (CVE-2022-21724): org.postgresql:postgresql Dependency in Bitbucket Data Center and Server

Description

This High severity org.postgresql:postgresql Dependency vulnerability was introduced in version 8.0 of Bitbucket Data Center. A version of the PostgreSQL JDBC driver is bundled in the Mesh Application (/app/WEB-INF/mesh/mesh-app.jar) however Mesh does not use the PostgreSQL driver, rather it uses a H2 embedded database. The fix delivered is to no longer bundle the unused PostgreSQL driver in the mesh-app.jar. This org.postgresql:postgresql Dependency vulnerability, with a CVSS Score of 7 and a CVSS Vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.25 * Bitbucket Data Center and Server 8.19: Upgrade to a release greater than or equal to 8.19.15 * Bitbucket Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.3 * Bitbucket Data Center and Server 9.5: Upgrade to a release greater than or equal to 9.5.1 * Bitbucket Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.0 See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center from the download center (https://www.atlassian.com/software/bitbucket/download-archives). The National Vulnerability Database provides the following description for this vulnerability: pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.