Atlassian Releases Security Updates for Bitbucket Data Center and Confluence Data Center

Updates address critical RCE vulnerabilities

Threat ID:: CC-4084
Threat Severity:: Information only
Published:: 22 April 2022 3:31 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address critical RCE vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: 5.14.x and later, 6.x and later, 7.x prior to 7.6.14, 7.7.x to 7.16, 7.17.x prior to 7.17.6, 7.18.x prior to 7.18.4, 7.19.s prior to 7.19.4, 7.20.0

Atlassian Bitbucket Data Center

Versions: When clustering is enabled, all versions 5.6.x and later

Atlassian Confluence Data Center

Threat details

Introduction

Atlassian has released an advisory that addresses vulnerabilities that originate with third-party software Hazelcast. Hazelcast is used when the Atlassian products are configured to run as a cluster.

The vulnerability known as CVE-2016-10750 affects Confluence Data Center and is open to Java deserialisation attacks. Similarly, CVE-2022-26133 can result in an affected system being vulnerable to Java deserialisation attacks, but it is specific to Bitbucket and has a CVSS score of 10.

A remote, unauthenticated attacker could exploit these vulnerabilities by sending a specially crafted request, resulting in remote code execution (RCE) and allow the attacker to take control of the system.

Remediation advice

Affected organisations are encouraged to review the Atlassian Multiple Products Security Advisory Hazelcast Vulnerable To Remote Code Execution and apply the necessary updates or workarounds.

Definitive source of threat updates

https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html

CVE Vulnerabilities

Status Published

CVE-2016-10750

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Status Published

CVE-2022-26133

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

Last edited: 22 April 2022 4:57 pm