Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2016-10750). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted JoinRequest, resulting in arbitrary code execution.
Confluence Data Center instances that are not installed as a cluster are not affected.
Confluence Server is not affected.
Confluence Cloud is not affected.
Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:
If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.
The following versions are affected when clustering is enabled:
- 5.6.0 up to (including) 7.4.16,
- 7.5.0 up to (including) 7.13.6,
- 7.14.0 up to (including) 7.14.2,
- 7.15.0 up to (including) 7.15.1,
- 7.16.0 up to (including) 7.16.3,
- 7.17.0 up to (including) 7.17.3,
The following versions contain fixes for this issue:
- 7.4.17 (LTS) up to (excluding) 7.5.0,
- 7.13.7 (LTS) up to (excluding) 7.14.0,
- 7.14.3 up to (excluding) 7.15.0,
- 7.15.2 up to (excluding) 7.16.0,
- 7.16.4 up to (excluding) 7.17.0,
- 7.17.4 up to (excluding) 7.18.0,
- 7.18.1 and up
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Confluence cluster. Confluence Data Center configures Hazelcast to use both TCP ports 5701 and 5801 by default.
We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
For more information, please refer to Atlassian's security advisory.