Hipchat Server Security Advisory 2017-04-24
Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080
Summary | CVE-2017-8080 - Remote Code Execution via Image Uploads |
---|---|
Advisory Release Date | 10 AM PDT (Pacific Time, -7 hours) |
Product | Hipchat Server |
Affected Hipchat Server Versions |
|
Fixed Hipchat Server Versions | 2.2.4 |
CVE ID(s) | CVE-2017-8080 |
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced in version 1.0 of Hipchat Server. Versions of Hipchat Server starting with 1.0 before 2.2.4 are affected by this vulnerability.
Hipchat Cloud instances have already been upgraded to a version of Hipchat Cloud which does not have the issue described on this page.
Customers who have upgraded Hipchat Server to version 2.2.4 are not affected.
Customers who have downloaded and installed Hipchat Server 1.0 or later, but before version 2.2.4.
Please upgrade your Hipchat Server installations immediately to fix this vulnerability
Or run the following patch during a maintenance window (it will restart all the services and disconnect all the users)
cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"
Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
An attacker with user level privileges could gain Remote Code Execution via a malicious image upload.
All versions of Hipchat Server up to and including 2.2.3 are affected by this vulnerability. This issue can be tracked here:
- HCPUB-2980Getting issue details... STATUS
Fix
We have taken the following steps to address this issue:
- Released a patch that resolves this issue.
- Released Hipchat Server version 2.2.4 that contains a fix for this issue.
What You Need to Do
Option A: Upgrade (recommended):
The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.
Option B: Patch
Run the following patch during a maintenance window (it will restart all the services and disconnect all the users)
cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"
Upgrade Hipchat Server to version 2.2.4 or higher.
Information on upgrading Hipchat Server can be found at Upgrading Hipchat Server.
How do I check which version of Hipchat Sever I am running?
You can check which version of Hipchat Server you are running by going to https://<your-server>/server_admin/upgrade
or by using SSH to log in to your Hipchat Server and running cat /etc/hipchat-release
For a full description of the latest version of Hipchat Server, see the release notes.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Security Bug fix Policy | As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for Jira and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches. Binary patches will no longer be released. |
Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |