Hipchat Server Security Advisory 2017-11-22
Remote code execution in Hipchat Server and Hipchat Data Center (CVE-2017-14585), and Hipchat for Mac desktop client (CVE-2017-14586)
Summary | CVE-2017-14585 - Remote code execution in Hipchat Server and Data Center CVE-2017-14586 - Client-side remote code execution in Hipchat for Mac desktop client |
---|---|
Advisory Release Date | 10 AM PST (Pacific Time, -7 hours) |
Products |
|
Affected Hipchat for Mac desktop client versions |
|
Affected Hipchat Server versions |
|
Affected Hipchat Data Center versions |
|
Fixed Hipchat for Mac desktop client versions |
|
Fixed Hipchat Server versions |
|
Fixed Hipchat Data Center versions |
|
CVE ID(s) | CVE-2017-14585 CVE-2017-14586 |
Summary of advisory
This advisory discloses critical severity security vulnerabilities affecting the Hipchat for Mac desktop client and Hipchat Server & Data Center products.
Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface - CVE-2017-14585
Summary of Vulnerability
This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected.
Customers who have upgraded Hipchat Server to version 2.2.6 are not affected. Customers who have upgraded Hipchat Data Center to version 3.1.0 are not affected.
Please upgrade your Hipchat Server and Hipchat Data Center instances immediately to fix this vulnerability
Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.
Description
A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators.
Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 and versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected by this vulnerability. This issue can be tracked here: - HCPUB-3526Getting issue details... STATUS
Acknowledgements
Atlassian would like to credit z0rg and exploitcat for reporting this issue to us.
Fix
We have taken the following steps to address this issue:
- Released Hipchat Server version 2.2.6 which contains a fix for this issue.
- Released Hipchat Data Center version 3.1.0 which contains a fix for this issue.
- Released a patch for Hipchat Server versions 2.2.4 and 2.2.5 which contains a fix for this issue.
What You Need to Do
Remember to create a backup before you upgrade, either with a virtualization snapshot or using a data backup/export. See Back up and restore Hipchat Server for more details.
Upgrade (recommended)
The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.
Upgrade Hipchat Server to version 2.2.6 or later.
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Server, see the release notes. You can download the latest version of Hipchat Server here.
Upgrade Hipchat Data Center to version 3.1.0 or later.
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Data Center, see the release notes. You can download the latest version of Hipchat Data Center here.
Patch
Patch Hipchat Server versions 2.2.4 or 2.2.5.
Customers running Hipchat Server versions 2.2.4 or 2.2.5 can find a patch which fixes this issue here.
Mitigation
Atlassian recommends that you upgrade to the latest version of Hipchat Server and Hipchat Data Center.
Hipchat for Mac desktop client - Client-side remote code execution via video link parsing - CVE-2017-14586
Summary of Vulnerability
This issue was introduced in version 4.0 of the Hipchat for Mac desktop client. Versions of Hipchat for Mac desktop client starting with 4.0 before 4.30 are affected by this vulnerability.
Customers who have upgraded Hipchat for Mac desktop client to version 4.30 are not affected .
Please upgrade your Hipchat for Mac desktop client installations immediately to fix this vulnerability.
Hipchat for Mac desktop client - Client-side remote code execution via video link parsing
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.
Description
The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing.
Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. This issue can be tracked here: - HCPUB-3473Getting issue details... STATUS
Acknowledgements
Atlassian would like to credit Matt Austin (@mattaustin) for reporting this issue to us.
Fix
We have taken the following steps to address this issue:
- Released Hipchat for Mac desktop client version 4.30 that contains a fix for this issue.
What You Need to Do
Upgrade (recommended)
The vulnerability and fix version are described in the description section above. Atlassian recommends that you upgrade to the latest version.
Upgrade Hipchat for Mac desktop client to version 4.30 or later.
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat for Mac desktop client, see the release notes. You can download the latest version of Hipchat for Mac desktop client here.
Mitigation
Atlassian recommends that you upgrade to the latest version of Hipchat's Desktop Mac client.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Security Bug fix Policy | As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for Jira and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches. Binary patches will no longer be released. |
Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |