How to patch Hipchat Server for CVE-2015-7547
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
This version of Hipchat Server is no longer supported
This article applies to a version of Hipchat Server which is beyond the Atlassian End of Life policy, and is no longer supported.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes. If possible, you should also consider deploying Hipchat Data Center instead.
Purpose
To describe the proper method of patching Hipchat Server for the CVE-2015-7547 vulnerability.
Note that Hipchat Server version 2.0 build 1.4.1 is available as a Production Release and already includes the resolution for the issue described on this page.
(Please Watch the Hipchat Server Release Notes page to be informed of new releases).
These instructions are for patching build 1.3.7 or 1.3.4 if you are unable to use beta releases by policy.
Solution
This patch requires restarting the Hipchat Server virtual machine to fully apply changes.
This has only been verified against Hipchat Server v1.3.7 and v1.3.4.
Please see Upgrading Hipchat Server to determine the current Hipchat Server version and steps to upgrade, if necessary.
- Back up the Hipchat Server
- Log into the Hipchat Server terminal/command-line interface
Copy and execute the following command to download and apply the patch:
sudo dont-blame-hipchat -c \ "wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2015-7547/cve-2015-7547-patch.sh; \ chmod +x cve-2015-7547-patch.sh; \ ./cve-2015-7547-patch.sh"- Reboot the Hipchat Server virtual machine to fully apply the changes