How to patch Hipchat Server for CVE-2015-7547
This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.
This version of Hipchat Server is no longer supported
This article applies to a version of Hipchat Server which is beyond the Atlassian End of Life policy, and is no longer supported.
The following versions have been deprecated:
- Hipchat Server 1.3 (EOL Date: Aug 17, 2017)
The following versions will be deprecated soon:
- Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
- Hipchat Server 2.1 (EOL Date: Dec 8, 2018)
- Hipchat Server 2.2 (EOL Date: May 30, 2019)
You can read more about Atlassian's End of Life policy here
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes. If possible, you should also consider deploying Hipchat Data Center instead.
To describe the proper method of patching Hipchat Server for the CVE-2015-7547 vulnerability.
Note that Hipchat Server version 2.0 build 1.4.1 is available as a Production Release and already includes the resolution for the issue described on this page.
(Please Watch the Hipchat Server Release Notes page to be informed of new releases).
These instructions are for patching build 1.3.7 or 1.3.4 if you are unable to use beta releases by policy.
This patch requires restarting the Hipchat Server virtual machine to fully apply changes.
This has only been verified against Hipchat Server v1.3.7 and v1.3.4.
Please see Upgrading Hipchat Server to determine the current Hipchat Server version and steps to upgrade, if necessary.
- Back up the Hipchat Server
- Log into the Hipchat Server terminal/command-line interface
Copy and execute the following command to download and apply the patch:
sudo dont-blame-hipchat -c \ "wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2015-7547/cve-2015-7547-patch.sh; \ chmod +x cve-2015-7547-patch.sh; \ ./cve-2015-7547-patch.sh"
- Reboot the Hipchat Server virtual machine to fully apply the changes