Critical Security Advisory: Hazelcast Vulnerable To Remote Code Execution

Multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ‘JoinRequest’, resulting in arbitrary code execution.

Only Bitbucket Data Center and Confluence Data Center installations are affected by this vulnerability. Please see below for fixes.

Affected Bitbucket Data Center Versions

Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

The following versions of Bitbucket Data Center are affected:

  • All 5.x versions >= 5.14.x
  • All 6.x versions
  • All 7.x versions < 7.6.14
  • All versions 7.7.x through 7.16.x
  • 7.17.x < 7.17.6
  • 7.18.x < 7.18.4
  • 7.19.x < 7.19.4
  • 7.20.0

Bitbucket Data Center Fix

Please update your Bitbucket Data Center instance to one of the following versions:

  • 7.6.14
  • 7.17.6
  • 7.18.4
  • 7.19.4
  • 7.20.1
  • 7.21.0

Find the versions above on Atlassian’s downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.

If you are unable to install a fixed version, refer to the “Workaround” section below.

Affected Confluence Data Center Versions

Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

<property name="confluence.cluster">true</property>

If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

The following versions of Confluence Data Center are affected when clustering is enabled:

  • All versions 5.6.x and later

Fixed Confluence Data Center Versions

Atlassian plans to address this vulnerability in future releases. For updates, watch the following ticket:

CONFSERVER-78179 – Confluence Data Center – Java Deserialization Vulnerability In Hazelcast – CVE-2016-10750 NEEDS TRIAGE

Until then, refer to the “Workaround” section below.

Workaround

Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster.

For Bitbucket Data Center, Hazelcast uses TCP port 5701 by default.

For Confluence Data Center, Hazelcast uses both TCP ports 5701 and 5801 by default.

 

Need Help With This?

Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.