Atlassian has demonstrated the interconnectedness of all things with a warning that some versions of Bitbucket Data Center and Confluence Data Center require patching courtesy of the Hazelcast Java deserialization vulnerability.

Hazelcast is an in-memory data grid and spreads data over the nodes of a cluster and is used for efficiency and performance via its in-memory tech. It is also relatively environment agnostic, running happily on-premises or in Microsoft, Amazon, and Google’s clouds.

The vulnerability affects products running as a cluster; the Server and Cloud versions of Bitbucket and Confluence are not affected. Exploitation is via a specially crafted JoinRequest with the potential result of arbitrary code execution.

The problem affects Hazelcast prior to version 3.11 and is documented as part of CVE-2016-10750. It has a CVSS score of 8.0. At fault is the cluster join procedure. An attacker must be able to reach a listening Hazelcast instance and, should vulnerable classes exist in the class path, they can potentially have a field day.

Atlassian uses the technology in Bitbucket and Confluence Data Center, and has popped out an advisory to the effect that admins should update. For Bitbucket Data Center, version 7.6.14 contains the fix. As does 7.17.6, 7.18.4, 7.19.4, 7.20.1, and 7.21.0.

For Confluence, however, it’s a bit more complicated. Where the tool has been installed as a cluster (and users are advised to check for the confluence.cfg.xml file line below) and version 5.6.x or later is in use, the only workaround at present is to restrict access to the Hazelcast port.

<property name="confluence.cluster">true</property>

“Atlassian plans to address this vulnerability in future releases,” intoned the company, directing worried users to a ticket for the issue.

The company gave a nod to Benny Jacob (SnowyOwl) for reporting the vulnerability to its bug bounty program. However, it remains a reminder of the interdependencies lurking in software. This particular vulnerability, for example, was flagged up in GitHub in 2016 and closed in 2018. The National Vulnerability Database published a warning in 2019.

Keeping up to date remains as important as ever, both for customers and for vendors. ®