Atlassian flags Bitbucket and Confluence Data Center flaws

Cluster tech vulnerability means either patching or port tinkering could be on the cards

Atlassian has demonstrated the interconnectedness of all things with a warning that some versions of Bitbucket Data Center and Confluence Data Center require patching courtesy of the Hazelcast Java deserialization vulnerability.

Hazelcast is an in-memory data grid and spreads data over the nodes of a cluster and is used for efficiency and performance via its in-memory tech. It is also relatively environment agnostic, running happily on-premises or in Microsoft, Amazon, and Google's clouds.

The vulnerability affects products running as a cluster; the Server and Cloud versions of Bitbucket and Confluence are not affected. Exploitation is via a specially crafted JoinRequest with the potential result of arbitrary code execution.

The problem affects Hazelcast prior to version 3.11 and is documented as part of CVE-2016-10750. It has a CVSS score of 8.0. At fault is the cluster join procedure. An attacker must be able to reach a listening Hazelcast instance and, should vulnerable classes exist in the class path, they can potentially have a field day.

Atlassian uses the technology in Bitbucket and Confluence Data Center, and has popped out an advisory to the effect that admins should update. For Bitbucket Data Center, version 7.6.14 contains the fix. As does 7.17.6, 7.18.4, 7.19.4, 7.20.1, and 7.21.0.

For Confluence, however, it's a bit more complicated. Where the tool has been installed as a cluster (and users are advised to check for the confluence.cfg.xml file line below) and version 5.6.x or later is in use, the only workaround at present is to restrict access to the Hazelcast port.

<property name="confluence.cluster">true</property>

"Atlassian plans to address this vulnerability in future releases," intoned the company, directing worried users to a ticket for the issue.

The company gave a nod to Benny Jacob (SnowyOwl) for reporting the vulnerability to its bug bounty program. However, it remains a reminder of the interdependencies lurking in software. This particular vulnerability, for example, was flagged up in GitHub in 2016 and closed in 2018. The National Vulnerability Database published a warning in 2019.

Keeping up to date remains as important as ever, both for customers and for vendors. ®

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Atlassian: Unpatched years-old flaw under attack right now to hijack Confluence
    One option: Take the thing offline until Friday patch applied

    Updated Atlassian has warned users of its Confluence collaboration tool that they should either restrict internet access to the software, or disable it, in light of a critical-rated unauthenticated remote-code-execution flaw in the product that is actively under attack.

    An advisory dated June 2, 1300 PT (2000 UTC), does not describe the nature of the flaw, and reveals "current active exploitation" has been detected. No patch is available.

    The flaw is present in version 7.18 of Confluence Server, which is under attack, as well as potentially versions 7.4 and higher of Confluence Server and Confluence Data Center. Version 7.4 is a long-term support edition.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022