Confluence Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2016-10750

h3. Vulnerability Details

Confluence Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks ([CVE-2016-10750|https://vulners.com/cve/CVE-2016-10750]). Hazelcast provides functionality needed to run Confluence Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted {{{}JoinRequest{}}}, resulting in arbitrary code execution.
h3. Affected Versions

(i) Confluence Data Center instances that are not installed as a cluster are not affected.
(i) Confluence Server is not affected.
(i) Confluence Cloud is not affected.

Confluence Data Center is only affected when it is installed as a cluster. To verify whether a cluster installation is being used, check the {{confluence.cfg.xml}} file in the [Confluence home directory|https://confluence.atlassian.com/doc/confluence-home-and-other-important-directories-590259707.html]. If the following line is present, it has been installed as a cluster:
{code:java}
<property name=“confluence.cluster”>true</property> {code}
If the line is not present or if the value is set to {{false}} instead of {{{}true{}}}, it has not been installed as a cluster.

The following versions are affected when clustering is enabled:

• 5.6.0 up to (including) 7.4.16,
• 7.5.0 up to (including) 7.13.6,
• 7.14.0 up to (including) 7.14.2,
• 7.15.0 up to (including) 7.15.1,
• 7.16.0 up to (including) 7.16.3,
• 7.17.0 up to (including) 7.17.3,
• 7.18.0

h3. Fixed Versions

The following versions contain fixes for this issue:

• 7.4.17 (LTS) up to (excluding) 7.5.0,
• 7.13.7 (LTS) up to (excluding) 7.14.0,
• 7.14.3 up to (excluding) 7.15.0,
• 7.15.2 up to (excluding) 7.16.0,
• 7.16.4 up to (excluding) 7.17.0,
• 7.17.4 up to (excluding) 7.18.0,
• 7.18.1 and up

h3. Workaround

Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Confluence cluster. Confluence Data Center configures Hazelcast to [use both TCP ports 5701 and 5801 by default|https://confluence.atlassian.com/doc/set-up-a-confluence-data-center-cluster-982322030.html#SetupaConfluenceDataCentercluster-Security].
h3. Acknowledgements

We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
h3. References

For more information, please refer to [Atlassian’s security advisory|https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html].