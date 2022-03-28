Atlassian data centre products impacted by third-party bug

By on
Atlassian data centre products impacted by third-party bug

Update if you can, remediate if you can't.

An old Java bug in an unpatched third-party product has given Atlassian shops the choice between patching and remediation.

Various versions of the company’s Bitbucket Data Centre have been released to patch the bug in the third-party Hazelcast platform. 

Atlassian’s advisory says single and multi-node Bitbucket installations are affected. Eight versions in Bitbucket 5.x, 6.x and 7.x need patching.

The fixes are present in Bitbucket 7.6.14, 7.17.6, 7.18.4, 7.19.4, 7.20.1 and 7.21.0.

The bug also affects Confluence Data Centre versions 5.6.x and later, but only if it is configured as a cluster.

Atlassian has not yet released a patched version. In the meantime, Confluence Data Centre users are advised to restrict access to the Hazelcast ports (TCP 5701 and 5801 by default) at the firewall.

For Bitbucket users, only port 5701 needs to be restricted.

The bug in Hazelcast is a Java deserialisation bug that dates to 2016. 

According to the original advisory, CVE-2016-10750: “In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialisation.

"If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.”

From the first bug report at GitHub, since the bug is present in JoinRequest, it can be triggered before authentication – meaning it offers an attacker unauthenticated remote code execution.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
atlassianjavasecuritysoftwarevulnerability

Sponsored Whitepapers

Don&#8217;t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection
A Guide to Cyber Security Threat Hunting
A Guide to Cyber Security Threat Hunting
20 ways Automate solves IT and business problems
20 ways Automate solves IT and business problems
Magic Quadrant for Access Management
Magic Quadrant for Access Management
Fortinet Networking and Cybersecurity Adoption Index 2021
Fortinet Networking and Cybersecurity Adoption Index 2021

Events

Most Read Articles

NBN Co reveals the two ways to get invited to upgrade FTTN to full fibre

NBN Co reveals the two ways to get invited to upgrade FTTN to full fibre
NBN Co quantifies how many HFC dropouts in a day is too many

NBN Co quantifies how many HFC dropouts in a day is too many
Tax cuts could turn Australia into a "crypto hub": senator

Tax cuts could turn Australia into a "crypto hub": senator
NBN Co takes 5G leap with $750m fixed wireless network upgrade

NBN Co takes 5G leap with $750m fixed wireless network upgrade

Digital Nation

COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other &#8216;CTO&#8217;: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer

Log In

  |  Forgot your password?