Bitbucket Server security advisory 2016-09-21

HipChat for Bitbucket Server plugin - leaks secret key - HC-32766

Note: As of  September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.

Date of Advisory:   10 AM PDT  (Pacific Time, -7 hours)

CVE ID: 

  • CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Product: Bitbucket Server and the Atlassian Hipchat Integration Plugin for Bitbucket Server.

Affected Atlassian Hipchat Integration Plugin versions:

  • 6.26.0 <= version < 6.27.5
  • 6.28.0 <= version < 7.3.7
  • 7.4.0 <= version < 7.8.17

Affected Bitbucket Server product versions:

  • 3.10.0 <= version < 4.4.4
  • 4.5.0 <= version < 4.5.3
  • 4.6.0 <= version < 4.6.4
  • 4.7.0 <= version < 4.7.2
  • 4.8.0 <= version < 4.8.4

Fixed Bitbucket Server product versions:

  • for 4.4.x, Bitbucket Server 4.4.4 has been released with a fix for this issue.
  • for 4.5.x, Bitbucket Server 4.5.3 has been released with a fix for this issue.
  • for 4.6.x, Bitbucket Server 4.6.4 has been released with a fix for this issue.
  • for 4.7.x, Bitbucket Server 4.7.2 has been released with a fix for this issue.
  • for 4.8.x, Bitbucket Server 4.8.4 has been released with a fix for this issue.
  • for 4.9.x, Bitbucket Server 4.9.0 has been released with a fix for this issue.

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 3.10.0 of Bitbucket Server. Versions of Bitbucket Server starting with 3.10.0 before 4.4.3 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.3 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability.

 

Customers who have upgraded Bitbucket Server to version 4.4.4 or version 4.5.3 or 4.6.4 or 4.7.2 or 4.8.4, 4.9.x are not affected.

Customers who have downloaded and installed Bitbucket Server >= 3.10.0 less than 4.4.3 (the fixed version for 4.4.x)

Customers who have downloaded and installed Bitbucket Server >= 4.5.0 less than 4.5.3 (the fixed version for 4.5.x)

Customers who have downloaded and installed Bitbucket Server >= 4.6.0 less than 4.6.4 (the fixed version for 4.6.x)

Customers who have downloaded and installed Bitbucket Server >= 4.7.0 less than 4.7.3 (the fixed version for 4.7.x)

Customers who have downloaded and installed Bitbucket Server >= 4.8.0 less than 4.8.4 (the fixed version for 4.8.x)


Please upgrade your Bitbucket Server installations immediately to fix this vulnerability.

The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance (CVE-2016-6668)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

 

Description

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance.

All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability. 

All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability. This issue can be tracked here:  BSERV-9146 - Getting issue details... STATUS

Mitigation

If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable or uninstall the Atlassian Hipchat Integration Plugin.

 

Fix

We have taken the following steps to address these issues:

  1. Released Bitbucket Server version 4.4.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.
  2. Released Bitbucket Server version 4.5.3 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.
  3. Released Bitbucket Server version 4.6.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.
  4. Released Bitbucket Server version 4.7.2 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.
  5. Released Bitbucket Server version 4.8.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.
  6. Released Bitbucket Server version 4.9.0 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version.

What You Need to Do

Upgrade (recommended)

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.


Upgrade Bitbucket Server to version 4.9.0 or higher.

If you are running Bitbucket Server and cannot upgrade to Bitbucket Server 4.9.0 or higher then upgrade to one of the fixed versions listed below

  • 4.4.4
  • 4.5.3
  • 4.6.4
  • 4.7.2
  • 4.8.4

 

If you are running Stash 3.11 then download the JARs from here and install them using the instructions for installing add-ons using UPM found at https://confluence.atlassian.com/display/UPM/Installing+add-ons#Installingadd-ons-Installingbyfileupload after which you must restart Stash. Version 6.27.5 (which contains a fix) of the Atlassian Hipchat Integration Plugin should be installed.

Next, follow these steps to rotate the secret key. 

You need admin permissions for both Bitbucket Server and HipChat to do this: 

  1. Log in to Bitbucket Server as a user with admin permissions and go to <your-bitbucket-server-site>/plugins/servlet/hipchat/configure
  2. Click Remove integration. This will sever the link and uninstall the add-on in HipChat.
  3. Once you land back on the HipChat Integration page, click Connect HipChat. This will re-establish the link between HipChat and Bitbucket Server with a new secret key.

For a full description of the latest version of Bitbucket Server, see the release notes. You can download the latest version of Bitbucket Server from the download centre.

 

Support

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
 End of Life Policy  Our end of life policy varies for different products. Please refer to our EOL Policy for details.  
Last modified on Oct 6, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.