Remote code execution in Hipchat Server and Hipchat Data Center (CVE-2017-14585), and Hipchat for Mac desktop client (CVE-2017-14586)

Summary of advisory

This advisory discloses critical severity security vulnerabilities affecting the Hipchat for Mac desktop client and Hipchat Server & Data Center products. 

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface - CVE-2017-14585

脆弱性の概要

This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server  starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected. 

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

説明

A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators.

Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 and versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3526 - Getting issue details... STATUS

謝辞

Atlassian would like to credit z0rg and exploitcat for reporting this issue to us.

修正

弊社ではこの問題に対応するために次の対応を行いました。

1. Released Hipchat Server  version 2.2.6 which contains a fix for this issue.
2. Released Hipchat Data Center version 3.1.0 which contains a fix for this issue.
3. Released a patch for Hipchat Server versions 2.2.4 and 2.2.5 which contains a fix for this issue.

必要なアクション

Upgrade (recommended)

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat Server to version 2.2.6 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Server, see the release notes. You can download the latest version of Hipchat Server here.

Upgrade Hipchat Data Center to version 3.1.0 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Data Center, see the release notes. You can download the latest version of Hipchat Data Center here.

Patch

Patch Hipchat Server versions 2.2.4 or 2.2.5.

Customers running Hipchat Server versions 2.2.4 or 2.2.5 can find a patch which fixes this issue here.

問題の軽減策

Atlassian recommends that you upgrade to the latest version of Hipchat Server and Hipchat Data Center.

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing - CVE-2017-14586

脆弱性の概要

This issue was introduced in version 4.0 of the Hipchat for Mac desktop client. Versions of Hipchat for Mac desktop client starting with 4.0 before 4.30 are affected by this vulnerability. 

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing

深刻度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

説明

The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing.

 Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3473 - Getting issue details... STATUS

謝辞

Atlassian would like to credit Matt Austin (@mattaustin) for reporting this issue to us.

修正

弊社ではこの問題に対応するために次の対応を行いました。

1. Released Hipchat for Mac desktop client version 4.30 that contains a fix for this issue.

必要なアクション

Upgrade (recommended)

The vulnerability and fix version are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat for Mac desktop client to version 4.30 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat for Mac desktop client, see the release notes. You can download the latest version of Hipchat for Mac desktop client here.

問題の軽減策

Atlassian recommends that you upgrade to the latest version of Hipchat's Desktop Mac client.

サポート

このセキュリティ アドバイザリーのメールが届いておらず、今後受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールに登録してください。

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考