Multiple Products Security Advisory - Hazelcast Vulnerable To Remote Code Execution - CVE-2016-10750, CVE-2022-26133
Summary | CVE-2016-10750 - Hazelcast vulnerable to remote code execution |
---|---|
Advisory Release Date | 23:00 UTC (Coordinated Universal Time, +0 hours) |
Affected Products |
|
CVE ID | CVE-2016-10750 (Confluence Data Center) |
This advisory has been updated since its initial publication.
07:30 UTC (Coordinated Universal Time, +0 hours)
Updated the fixed version of the Confluence DC
23:00 UTC (Coordinated Universal Time, +0 hours)
- Assigned CVE-2022-26133 to the Bitbucket Data Center vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
- Note the new CVE assignment for Bitbucket does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate
- Updated the Summary of Vulnerability section accordingly
17:00 UTC (Coordinated Universal Time, +0 hours)
- Added a "Severity" section which was accidentally omitted from the initial publication.
Summary of Vulnerability
Multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Affected Bitbucket Data Center Versions
Bitbucket Server is not affected.
Bitbucket Cloud is not affected.
Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.
The following versions of Bitbucket Data Center are affected:
All 5.x versions >= 5.14.x
All 6.x versions
All 7.x versions < 7.6.14
All versions 7.7.x through 7.16.x
7.17.x < 7.17.6
7.18.x < 7.18.4
7.19.x < 7.19.4
7.20.0
Fixed Bitbucket Data Center Versions
The following versions of Bitbucket Data Center fix this vulnerability:
7.6.14
7.17.6
7.18.4
7.19.4
7.20.1
7.21.0
Find the versions above on our downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.
If you are unable to install a fixed version, refer to the “Workaround” section below.
Affected Confluence Data Center Versions
Confluence Data Center instances that are not installed as a cluster are not affected.
Confluence Server is not affected.
Confluence Cloud is not affected.
Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml
file in the Confluence home directory. If the following line is present, it has been installed as a cluster:
<property name="confluence.cluster">true</property>
If the line is not present or if the value is set to false
instead of true
, it has not been installed as a cluster.
The following versions of Confluence Data Center are affected when clustering is enabled:
All versions 5.6.x and later
Fixed Confluence Data Center Versions
The following versions of Confluence Data Center fix this vulnerability:
7.4.17
7.13.7
7.14.3
7.15.2
7.16.4
7.17.4
7.18.1
This issue can be tracked here:
CONFSERVER-79017 - Getting issue details... STATUS
Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.
Note: If you run Confluence in a cluster, you will not be able to upgrade to these versions without downtime, also known as a rolling upgrade. Follow the steps in Upgrading Confluence Data Center.
Workaround
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster.
For Bitbucket Data Center, Hazelcast uses TCP port 5701 by default.
For Confluence Data Center, Hazelcast uses both TCP ports 5701 and 5801 by default.
Acknowledgements
We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability to Atlassian's bug bounty program.
References
- BSERV-13173 - Getting issue details... STATUS
- CONFSERVER-78179 - Getting issue details... STATUS