Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-78179

Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750

    XMLWordPrintable

Details

    Description

      Vulnerability Details

      Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2016-10750). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted JoinRequest, resulting in arbitrary code execution.

      Affected Versions

       Confluence Data Center instances that are not installed as a cluster are not affected.
      Confluence Server is not affected.
      Confluence Cloud is not affected.

      Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

      <property name="confluence.cluster">true</property> 

      If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

      The following versions are affected when clustering is enabled:

      • 5.6.0 up to (including) 7.4.16,
      • 7.5.0 up to (including) 7.13.6,
      • 7.14.0 up to (including) 7.14.2,
      • 7.15.0 up to (including) 7.15.1,
      • 7.16.0 up to (including) 7.16.3,
      • 7.17.0 up to (including) 7.17.3,
      • 7.18.0

      Fixed Versions

      The following versions contain fixes for this issue:

      • 7.4.17 (LTS) up to (excluding) 7.5.0,
      • 7.13.7 (LTS) up to (excluding) 7.14.0,
      • 7.14.3 up to (excluding) 7.15.0,
      • 7.15.2 up to (excluding) 7.16.0,
      • 7.16.4 up to (excluding) 7.17.0,
      • 7.17.4 up to (excluding) 7.18.0,
      • 7.18.1 and up

      Workaround

      Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Confluence cluster. Confluence Data Center configures Hazelcast to use both TCP ports 5701 and 5801 by default.

      Acknowledgements

      We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.

      References

      For more information, please refer to Atlassian's security advisory.

      Attachments

        Issue Links

          Activity

            People

              19cb521e4007 Ajay Sharma
              badeloye@atlassian.com Brian Adeloye
              Votes:
              102 Vote for this issue
              Watchers:
              197 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: