Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)

• Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
• Note the new CVE assignment does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate

h3. Vulnerability Details

Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks ([CVE-2022-26133|https://vulners.com/cve/CVE-2016-10750]). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.
h3. Affected Versions

(i) Bitbucket Server is not affected.
(i) Bitbucket Cloud is not affected.

Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

The following versions are affected:

• All 5.x versions >= 5.14.x
• All 6.x versions
• All 7.x versions < 7.6.14
• All versions 7.7.x through 7.16.x
• 7.17.x < 7.17.6
• 7.18.x < 7.18.4
• 7.19.x < 7.19.4
• 7.20.0

h3. Fixed Versions

The following versions of Bitbucket Data Center fix this vulnerability:

• 7.6.14
• 7.17.6
• 7.18.4
• 7.19.4
• 7.20.1
• 7.21.0

Find the versions above on our [downloads page|https://www.atlassian.com/software/bitbucket/download-archives] and use the steps outlined in the [Bitbucket upgrade guide|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html] to complete the upgrade.

If you are unable to install a fixed version, refer to the “Workaround” section below.
h3. Workaround

Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use [TCP port 5701 by default|https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-requirements-913477100.html].
h3. Acknowledgements

We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
h3. References

For more information, please refer to [Atlassian’s security advisory|https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html].