Hipchat Server Security Advisory 2017-11-22

Still need help?

The Atlassian Community is here for you.

Ask the community

Remote code execution in Hipchat Server and Hipchat Data Center (CVE-2017-14585), and Hipchat for Mac desktop client (CVE-2017-14586)

Summary

CVE-2017-14585 - Remote code execution in Hipchat Server and Data Center

CVE-2017-14586 - Client-side remote code execution in Hipchat for Mac desktop client

Advisory Release Date

 10 AM PST (Pacific Time, -7 hours)

Products
  • Hipchat Server
  • Hipchat Data Center
  • Hipchat for Mac desktop client
Affected Hipchat for Mac desktop client versions
  • 4.0 <= version < 4.30
Affected Hipchat Server versions
  • 2.2.0 <= version <  2.2.6 
Affected Hipchat Data Center versions
  • 3.0.0 <= version <  3.1.0 
Fixed Hipchat for Mac desktop client versions
  • 4.30
Fixed Hipchat Server versions
  • 2.2.6
Fixed Hipchat Data Center versions
  • 3.1.0
CVE ID(s)

CVE-2017-14585

CVE-2017-14586

Summary of advisory

This advisory discloses critical severity security vulnerabilities affecting the Hipchat for Mac desktop client and Hipchat Server & Data Center products. 

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface - CVE-2017-14585

Summary of Vulnerability

This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server  starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected. 

Customers who have upgraded Hipchat Server to version 2.2.6 are not affected. Customers who have upgraded Hipchat Data Center to version 3.1.0 are not affected.

Please upgrade your Hipchat Server and Hipchat Data Center instances immediately to fix this vulnerability

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description

A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators.

Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 and versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3526 - Getting issue details... STATUS

Acknowledgements

Atlassian would like to credit z0rg and exploitcat for reporting this issue to us.

Fix

We have taken the following steps to address this issue:

  1. Released Hipchat Server  version 2.2.6 which contains a fix for this issue.
  2. Released Hipchat Data Center version 3.1.0 which contains a fix for this issue.
  3. Released a patch for Hipchat Server versions 2.2.4 and 2.2.5 which contains a fix for this issue.

What You Need to Do

Remember to create a backup before you upgrade, either with a virtualization snapshot or using a data backup/export. See Back up and restore Hipchat Server for more details.

Upgrade (recommended)

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat Server to version 2.2.6 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Server, see the release notes. You can download the latest version of Hipchat Server here.

Upgrade Hipchat Data Center to version 3.1.0 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Data Center, see the release notes. You can download the latest version of Hipchat Data Center here.

Patch

Patch Hipchat Server versions 2.2.4 or 2.2.5.

Customers running Hipchat Server versions 2.2.4 or 2.2.5 can find a patch which fixes this issue here.

Mitigation

Atlassian recommends that you upgrade to the latest version of Hipchat Server and Hipchat Data Center.

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing - CVE-2017-14586

Summary of Vulnerability

This issue was introduced in version 4.0 of the Hipchat for Mac desktop client. Versions of Hipchat for Mac desktop client starting with 4.0 before 4.30 are affected by this vulnerability. 

Customers who have upgraded Hipchat for Mac desktop client to version 4.30  are  not affected .

Please upgrade your Hipchat for Mac desktop client installations immediately to fix this vulnerability.

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

Description

The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing.

 Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3473 - Getting issue details... STATUS

Acknowledgements

Atlassian would like to credit Matt Austin (@mattaustin) for reporting this issue to us.

Fix

We have taken the following steps to address this issue:

  1. Released Hipchat for Mac desktop client version 4.30 that contains a fix for this issue.

What You Need to Do

Upgrade (recommended)

The vulnerability and fix version are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat for Mac desktop client to version 4.30 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat for Mac desktop client, see the release notes. You can download the latest version of Hipchat for Mac desktop client here.

Mitigation

Atlassian recommends that you upgrade to the latest version of Hipchat's Desktop Mac client.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for Jira and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Dec 6, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.