Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0956 March 2019 Sourcetree Advisory 22 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian Sourcetree Publisher: Atlassian Operating System: Mac OS Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-20236 CVE-2018-20235 CVE-2018-20234 CVE-2018-17456 Original Bulletin: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html - --------------------------BEGIN INCLUDED TEXT-------------------- March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities Summary March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities Advisory Release 06 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours) Date Products o Sourcetree for macOS o Sourcetree for Windows Affected Sourcetree o Sourcetree for macOS 1.2 <= version < 3.1.1 Versions o Sourcetree for Windows 0.5a <= version < 3.0.17 Fixed Sourcetree o Sourcetree for macOS version 3.1.1 and higher. Versions o Sourcetree for Windows version 3.0.17 and higher. o CVE-2018-20234 o CVE-2018-20235 CVE ID(s) o CVE-2018-17456 o CVE-2018-20236 Summary of Vulnerabilities This advisory discloses three critical severity security vulnerabilities in Sourcetree for macOS and Sourcetree for Windows. Versions of Sourcetree for macOS starting with 1.2 before 3.1.1, and versions of Sourcetree for Windows starting with 0.5a before 3.0.17 are affected by one or more of these vulnerabilities. Customers who have upgraded to Sourcetree for macOS version 3.1.1 or Sourcetree for Windows version 3.0.17 are not affected. Customers who have downloaded and installed Sourcetree for macOS before version 3.1.1 or Sourcetree for Windows before version 3.0.17 are affected. Please upgrade your Sourcetree installations immediately to fix this vulnerability. Mercurial hooks vulnerability - CVE-2018-20234 and CVE-2018-20235 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate how it applies to your own IT environment. Description Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235 respectively. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here: SRCTREE-6391 - Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234 CLOSED Versions of Sourcetree for Windows starting with 0.5a before version 3.0.15 are affected by this vulnerability. This issue can be tracked here: SRCTREEWIN-11289 - Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235 CLOSED Acknowledgements Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant. Fix We have taken the following steps to address this issue: 1. Released Sourcetree for Windows version 3.0.15 that contains a fix for this issue. 2. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue. Git submodules vulnerability - CVE-2018-17456 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate how it applies to your own IT environment. Description Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here: [viewavatar]SRCTREE-6394 - Input validation vulnerability via Git in Sourcetree for Mac - CVE-2018-17456CLOSEDVersions of Sourcetree for Windows starting with 0.5a before version 3.0.17 are affected by this vulnerability. This issue can be tracked here: [viewavatar]SRCTREEWIN-11292 - Input validation vulnerability via Git in Sourcetree for Windows - CVE-2018-17456 CLOSED Acknowledgements Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant. Fix We have taken the following steps to address this issue: 1. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue. 2. Released Sourcetree for Windows version 3.0.17 that contains a fix for this issue. URI handling vulnerability - CVE-2018-20236 Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate how it applies to your own IT environment. Description Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows starting with 0.5a before version 3.0.10 are affected by this vulnerability. This issue can be tracked here: [viewavatar]SRCTREEWIN-11291 - Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236 CLOSED Acknowledgements Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant. Fix We have taken the following steps to address this issue: 1. Released Sourcetree for Windows version 3.0.10 that contains a fix for this issue. What You Need to Do Upgrade Sourcetree for Windows to version 3.0.17 or higher. Upgrade Sourcetree for macOS to version 3.1.1 or higher. Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree for macOS, see the release notes. For a full description of the latest version of Sourcetree for Windows, see the release notes. You can download the latest version of Sourcetree from the Sourcetree website. Support If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. References Security Our SLAs and guarantees for bugfixes. Bugfix Policy Severity Atlassian security advisories include a severity level and a CVE Levels for identifier. This severity level is based on our self-calculated security CVSS score for each specific vulnerability. CVSS is an industry issues standard vulnerability metric. You can also learn more about CVSS at FIRST.org. End of Life Our end of life policy varies for different products. Please Policy refer to the policy for details. Last modified on Mar 6, 2019 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJRnhGaOgq3Tt24GAQhBhw/9HlFgyDEv78tfgF+mZfQ+o8siylqQUANl GL5fTrriiBXEN01IU9HglqrffEc/ZWCBqOgNSvcUOB84ivFtIScwZKAEK+LiDB3k YBwpV3bGVofUO7PO2hZv5EK/XOUmyeqYVH2EO821+9Fep/RTWPjP9IWQAv5m7Hr/ Ot98fvRL9i5CfE0RNyxd5r5aJuTvCjOGE8c0YAMO+xUamqz7wfNCzm5UoTKflf5K wmyy9WwZeAc3qxdAOzp4y7zSfFEWiJT2AVZo9QLv6dzSu5IZV/8MlVvUm4fIxPIn I6IkM6Q68tauL4CdMLZt7eX5mryYZOrvbO7CcoPNErJKPx1Yz5eVDuX1wjGqFbx6 xtTyLeYsq/U+DKPPIGe0o5C1uNycklH6VSXp+icRkBtjJhj3NLzPs0vuT/JaHeqp WoqwDCz7v9kquwIdgROWFlqtsa28PWa8Eq2njOOrvt9t+ko5MPslrGDRV4DxpI0H jKKmnSLNFoZxNl4c+nUFfwB3g28TAz9DfWVnyu+z35tV5+Dky0FTeTcNgmwithTG BAVimpCna335eWB6qfgIhyX+JVTKh6QAoSe8pysUHlTqGFBfx+KH4K71zo6P+O53 gqqcWdxCLycfmIAERoxKbFilEOHznY0gtrQf0+qlD7XuBYU3YlpWYDqljbZKKexU Vg9gDcfoCc0= =RWWx -----END PGP SIGNATURE-----