Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-78179

Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750

      Vulnerability Details

      Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2016-10750). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted JoinRequest, resulting in arbitrary code execution.

      Affected Versions

       Confluence Data Center instances that are not installed as a cluster are not affected.
      Confluence Server is not affected.
      Confluence Cloud is not affected.

      Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

      <property name="confluence.cluster">true</property> 

      If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

      The following versions are affected when clustering is enabled:

      • 5.6.0 up to (including) 7.4.16,
      • 7.5.0 up to (including) 7.13.6,
      • 7.14.0 up to (including) 7.14.2,
      • 7.15.0 up to (including) 7.15.1,
      • 7.16.0 up to (including) 7.16.3,
      • 7.17.0 up to (including) 7.17.3,
      • 7.18.0

      Fixed Versions

      The following versions contain fixes for this issue:

      • 7.4.17 (LTS) up to (excluding) 7.5.0,
      • 7.13.7 (LTS) up to (excluding) 7.14.0,
      • 7.14.3 up to (excluding) 7.15.0,
      • 7.15.2 up to (excluding) 7.16.0,
      • 7.16.4 up to (excluding) 7.17.0,
      • 7.17.4 up to (excluding) 7.18.0,
      • 7.18.1 and up

      Workaround

      Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Confluence cluster. Confluence Data Center configures Hazelcast to use both TCP ports 5701 and 5801 by default.

      Acknowledgements

      We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.

      References

      For more information, please refer to Atlassian's security advisory.

            [CONFSERVER-78179] Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750

            Michael Aglas added a comment - - edited

            Michael Aglas added a comment - - edited eca3924b014e see here JRASERVER-73182

            Bhimananda: You need to upgrade to 7.13.7

            Richard Bukovansky added a comment - Bhimananda: You need to upgrade to 7.13.7

            Does fix available for Confluence Server and Data Center version 7.13.3? 

            Bhimananda Kumbar added a comment - Does fix available for Confluence Server and Data Center version 7.13.3? 

            Ganesh Gautam added a comment - - edited

            Hi eca3924b014e, ba5bba137d4e

            You can find all the fix versions in the Jira ticket's fix version itself even if a comment is not there for a version.
            FWIW it is 7.14.3, 7.15.2, 7.16.4, 7.4.17, 7.13.7, 7.18.1, 7.17.4 in the fix versions. Thanks all for the feedback and support.

            Regards,
            Ganesh

            Ganesh Gautam added a comment - - edited Hi eca3924b014e , ba5bba137d4e You can find all the fix versions in the Jira ticket's fix version itself even if a comment is not there for a version. FWIW it is 7.14.3, 7.15.2, 7.16.4, 7.4.17, 7.13.7, 7.18.1, 7.17.4 in the fix versions. Thanks all for the feedback and support. Regards, Ganesh

            A fix for this issue is available in Confluence Server and Data Center 7.13.7.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ganesh Gautam added a comment - A fix for this issue is available in Confluence Server and Data Center 7.13.7. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Andrew Morin added a comment - 7.13.7  https://www.atlassian.com/software/confluence/download-archives

            Not understanding why this issue has been Closed when no fix has been provided for the LTS releases

            Jeanne Howe added a comment - Not understanding why this issue has been Closed when no fix has been provided for the LTS releases

            Kumaran added a comment -

            @Ganesh, thanks for update. Will there be a fix for current LTS v7.13.x ?

            Kumaran added a comment - @Ganesh, thanks for update. Will there be a fix for current LTS v7.13.x ?

            A fix for this issue is available in Confluence Server and Data Center 7.18.0.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ganesh Gautam added a comment - A fix for this issue is available in Confluence Server and Data Center 7.18.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available in Confluence Server and Data Center 7.4.16.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ganesh Gautam added a comment - A fix for this issue is available in Confluence Server and Data Center 7.4.16. Upgrade now or check out the Release Notes to see what other issues are resolved.

              19cb521e4007 Ajay Sharma (Inactive)
              badeloye@atlassian.com Brian Adeloye (Inactive)
              Affected customers:
              102 This affects my team
              Watchers:
              196 Start watching this issue

                Created:
                Updated:
                Resolved: