An old Java bug in an unpatched third-party product has given Atlassian shops the choice between patching and remediation.
Various versions of the company’s Bitbucket Data Centre have been released to patch the bug in the third-party Hazelcast platform.
Atlassian’s advisory says single and multi-node Bitbucket installations are affected. Eight versions in Bitbucket 5.x, 6.x and 7.x need patching.
The fixes are present in Bitbucket 7.6.14, 7.17.6, 7.18.4, 7.19.4, 7.20.1 and 7.21.0.
The bug also affects Confluence Data Centre versions 5.6.x and later, but only if it is configured as a cluster.
Atlassian has not yet released a patched version. In the meantime, Confluence Data Centre users are advised to restrict access to the Hazelcast ports (TCP 5701 and 5801 by default) at the firewall.
For Bitbucket users, only port 5701 needs to be restricted.
The bug in Hazelcast is a Java deserialisation bug that dates to 2016.
According to the original advisory, CVE-2016-10750: “In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialisation.
"If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.”
From the first bug report at GitHub, since the bug is present in JoinRequest, it can be triggered before authentication – meaning it offers an attacker unauthenticated remote code execution.