Hipchat Server Security Advisory 2017-04-24

Still need help?

The Atlassian Community is here for you.

Ask the community

Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080

Summary

CVE-2017-8080 - Remote Code Execution via Image Uploads

Advisory Release Date

 10 AM PDT (Pacific Time, -7 hours)

ProductHipchat Server

Affected Hipchat Server Versions

  • 1.0 <= version <  2.2.4

Fixed Hipchat Server Versions

2.2.4
CVE ID(s)CVE-2017-8080

 

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 1.0 of Hipchat Server. Versions of Hipchat Server starting with 1.0 before 2.2.4 are affected by this vulnerability.

 

Hipchat Cloud instances have already been upgraded to a version of Hipchat Cloud which does not have the issue described on this page.

Customers who have upgraded Hipchat Server to version 2.2.4 are not affected.

Customers who have downloaded and installed Hipchat Server 1.0 or later, but before version 2.2.4.

Please upgrade your Hipchat Server installations immediately to fix this vulnerability

Or run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"



Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

 

Description

An attacker with user level privileges could gain Remote Code Execution via a malicious image upload.

All versions of Hipchat Server up to and including 2.2.3 are affected by this vulnerability. This issue can be tracked here: 

 

HCPUB-2980 - Getting issue details... STATUS




Fix

We have taken the following steps to address this issue:

  1. Released a patch that resolves this issue.
  2. Released Hipchat Server version 2.2.4 that contains a fix for this issue.

What You Need to Do

 

Option A: Upgrade (recommended):

 The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Option B: Patch

Run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"

 


Upgrade Hipchat Server to version 2.2.4 or higher.

Information on upgrading Hipchat Server can be found at Upgrading Hipchat Server.

 

How do I check which version of Hipchat Sever I am running?

You can check which version of Hipchat Server you are running by going to https://<your-server>/server_admin/upgrade or by using SSH to log in to your Hipchat Server and running cat /etc/hipchat-release

For a full description of the latest version of Hipchat Server, see the release notes.

 

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for Jira and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy Our end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Nov 30, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.