Multiple Products Security Advisory - Hazelcast Vulnerable To Remote Code Execution - CVE-2016-10750, CVE-2022-26133

Summary

CVE-2016-10750 - Hazelcast vulnerable to remote code execution

Advisory Release Date

 23:00 UTC (Coordinated Universal Time, +0 hours)

Affected Products

  • Bitbucket Data Center

  • Confluence Data Center

CVE ID

CVE-2016-10750 (Confluence Data Center)
CVE-2022-26133 (Bitbucket Data Center) 

This advisory has been updated since its initial publication.

 23:00 UTC (Coordinated Universal Time, +0 hours)

  • Assigned CVE-2022-26133 to the Bitbucket Data Center vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
  • Note the new CVE assignment for Bitbucket does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate
  • Updated the Summary of Vulnerability section accordingly

 17:00 UTC (Coordinated Universal Time, +0 hours)

  • Added a "Severity" section which was accidentally omitted from the initial publication.

Summary of Vulnerability

Multiple Atlassian products use the third-party software Hazelcast, which is vulnerable to Java deserialization attacks. Hazelcast is used by these products when they’re configured to run as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected Bitbucket Data Center Versions

  • Bitbucket Server is not affected.

  • Bitbucket Cloud is not affected.

Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

The following versions of Bitbucket Data Center are affected:

  • All 5.x versions >= 5.14.x

  • All 6.x versions

  • All 7.x versions < 7.6.14

  • All versions 7.7.x through 7.16.x

  • 7.17.x < 7.17.6

  • 7.18.x < 7.18.4

  • 7.19.x < 7.19.4

  • 7.20.0

Fixed Bitbucket Data Center Versions

The following versions of Bitbucket Data Center fix this vulnerability:

  • 7.6.14

  • 7.17.6

  • 7.18.4

  • 7.19.4

  • 7.20.1

  • 7.21.0

Find the versions above on our downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.

If you are unable to install a fixed version, refer to the “Workaround” section below.

Affected Confluence Data Center Versions

  • Confluence Data Center instances that are not installed as a cluster are not affected.

  • Confluence Server is not affected.

  • Confluence Cloud is not affected.

Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

<property name="confluence.cluster">true</property>

If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

The following versions of Confluence Data Center are affected when clustering is enabled:

  • All versions 5.6.x and later

Fixed Confluence Data Center Versions

Atlassian plans to address this vulnerability in future releases. For updates, watch the following ticket:

CONFSERVER-78179 - Getting issue details... STATUS

Until then, refer to the “Workaround” section below.

Workaround

Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster.

For Bitbucket Data Center, Hazelcast uses TCP port 5701 by default

For Confluence Data Center, Hazelcast uses both TCP ports 5701 and 5801 by default.

Acknowledgements

We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability to Atlassian's bug bounty program.

References

Last modified on Apr 8, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.