Dear customer,

on the 24th March 2022 23:00 UTC, Atlassian issued a Security Advisory for Confluence and Bitbucket Data Center. The Server and Cloud versions of the aplications as well as other Atlassian products are not affected.

What you need to know

A vulnerability in the software Hazelcast has been discovered in conjunction with the named Atlassian products. Hazelcast is used by Confluence and Bitbucket Data Center when configured to operate as a cluster. A remote, unauthenticated attacker can exploit this vulnerability.

Affected Versions

Confluence Data Center

To verify whether a cluster installation is being used, check the confluence.cfg.xml file in the Confluence home directory. If the following line is present, it has been installed as a cluster:

<property name="confluence.cluster">true</property>

If the line is not present or if the value is set to false instead of true, it has not been installed as a cluster.

The following versions of Confluence Data Center are affected when clustering is enabled:

• All versions 5.6.x and later

Bitbucket Data Center

Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

The following versions of Bitbucket Data Center are affected:

• All 5.x versions before 5.14.x

• All 6.x versions

• All 7.x versions lower than 7.6.14

• All versions 7.7.x through 7.16.x

• 7.17.x lower than 7.17.6

• 7.18.x lower than 7.18.4

• 7.19.x lower than 7.19.4

• 7.20.0

What should I do?

Fix Confluence Data Center

Fix Bitbucket Data Center

Further Reading

• CVE-2016-10750

Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.