Atlassian data center products affected by a third-party bug – Security – Software

An old Java bug in an unpatched third-party product has given Atlassian stores a choice between patching and fixing.

Various versions of the company’s Bitbucket Data Center have been released to fix the bug in the third-party Hazelcast platform.

Atlassian’s advisory states that single and multi-node Bitbucket installations are affected. Eight versions in Bitbucket 5.x, 6.x and 7.x need to be patched.

The fixes are present in Bitbucket 7.6.14, 7.17.6, 7.18.4, 7.19.4, 7.20.1 and 7.21.0.

The bug also affects Confluence Data Center versions 5.6.x and higher, but only when configured as a cluster.

Atlassian has not yet released a patched version. In the meantime, Confluence Data Center users are advised to restrict access to the Hazelcast ports (TCP 5701 and 5801 by default) on the firewall.

Only port 5701 needs to be restricted for Bitbucket users.

The bug in Hazelcast is a Java deserialization bug from 2016.

According to the original advisory CVE-2016-10750: “In Hazelcast prior to 3.11, the cluster join mechanism is vulnerable to remote code execution via Java deserialization.

“If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest and vulnerable classes are present in the classpath, the attacker can execute arbitrary code.”

As of the initial bug report on GitHub, since the bug is present in JoinRequest, it can be triggered before authentication – meaning it offers an attacker unauthenticated remote code execution.

https://www.itnews.com.au/news/atlassian-data-centre-products-impacted-by-third-party-bug-577943?utm_source=feed&utm_medium=rss&utm_campaign=iTnews+ Atlassian data center products affected by a third-party bug – Security – Software

Jessica MacLeish

InternetCloning is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@internetcloning.com. The content will be deleted within 24 hours.

Related Articles

Back to top button