Multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ‘JoinRequest’, resulting in arbitrary code execution.
Only Bitbucket Data Center and Confluence Data Center installations are affected by this vulnerability. Please see below for fixes.
Affected Bitbucket Data Center Versions
Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.
The following versions of Bitbucket Data Center are affected:
- All 5.x versions >= 5.14.x
- All 6.x versions
- All 7.x versions < 7.6.14
- All versions 7.7.x through 7.16.x
- 7.17.x < 7.17.6
- 7.18.x < 7.18.4
- 7.19.x < 7.19.4
- 7.20.0
Bitbucket Data Center Fix
Please update your Bitbucket Data Center instance to one of the following versions:
- 7.6.14
- 7.17.6
- 7.18.4
- 7.19.4
- 7.20.1
- 7.21.0
Find the versions above on Atlassian’s downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.
If you are unable to install a fixed version, refer to the “Workaround” section below.
Affected Confluence Data Center Versions
Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml
file in the Confluence home directory. If the following line is present, it has been installed as a cluster:
<property name="confluence.cluster">true</property>
If the line is not present or if the value is set to false
instead of true
, it has not been installed as a cluster.
The following versions of Confluence Data Center are affected when clustering is enabled:
- All versions 5.6.x and later
Fixed Confluence Data Center Versions
Atlassian plans to address this vulnerability in future releases. For updates, watch the following ticket:
CONFSERVER-78179 – Confluence Data Center – Java Deserialization Vulnerability In Hazelcast – CVE-2016-10750 NEEDS TRIAGE
Until then, refer to the “Workaround” section below.
Workaround
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster.
For Bitbucket Data Center, Hazelcast uses TCP port 5701 by default.
For Confluence Data Center, Hazelcast uses both TCP ports 5701 and 5801 by default.
Need Help With This?
Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.