Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Affects Version/s: 5.6, 6.6.17, 6.13.23, 7.4.16, 7.13.6
Component/s: Security
Labels:

Fixed in Long Term Support Release/s:

Download 7.4
Support reference count:
16
Symptom Severity:
Severity 1 - Critical
UIS:
14,474
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Vulnerability Details

Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2016-10750). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted JoinRequest, resulting in arbitrary code execution.

Affected Versions

Confluence Data Center instances that are not installed as a cluster are not affected.
Confluence Server is not affected.
Confluence Cloud is not affected.

Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

<property name="confluence.cluster">true</property>

If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

The following versions are affected when clustering is enabled:

5.6.0 up to (including) 7.4.16,
7.5.0 up to (including) 7.13.6,
7.14.0 up to (including) 7.14.2,
7.15.0 up to (including) 7.15.1,
7.16.0 up to (including) 7.16.3,
7.17.0 up to (including) 7.17.3,
7.18.0

Fixed Versions

The following versions contain fixes for this issue:

7.4.17 (LTS) up to (excluding) 7.5.0,
7.13.7 (LTS) up to (excluding) 7.14.0,
7.14.3 up to (excluding) 7.15.0,
7.15.2 up to (excluding) 7.16.0,
7.16.4 up to (excluding) 7.17.0,
7.17.4 up to (excluding) 7.18.0,
7.18.1 and up

Workaround

Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Confluence cluster. Confluence Data Center configures Hazelcast to use both TCP ports 5701 and 5801 by default.

Acknowledgements

We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.

References

For more information, please refer to Atlassian's security advisory.

Attachments

Issue Links

is related to

CONFSERVER-79031 confluence.cluster.authentication.secret system property is not given precedence over confluence.cfg.xml

Closed

BSERV-13173 Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Published

relates to

CONFSERVER-78321 Confluence node can join the cluster even if not listed as a cluster peer

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(41 mentioned in)

Activity

People

Assignee:: Ajay Sharma

Reporter:: Brian Adeloye (Inactive)

Votes:: 102 Vote for this issue

Watchers:: 196 Start watching this issue

Dates

Created:: 24/Mar/2022 6:07 PM

Updated:: 11/Sep/2023 6:29 PM

Resolved:: 03/Jun/2022 4:10 PM