Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080

脆弱性の概要

This advisory discloses a critical severity security vulnerability which was introduced in version 1.0 of Hipchat Server. Versions of Hipchat Server starting with 1.0 before 2.2.4 are affected by this vulnerability.

cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"

Hipchat Server - Remote Code Execution via Image Uploads - CVE-2017-8080

深刻度

アトラシアンはアトラシアンの深刻度レベルで公開されているスケールに従って、この脆弱性の深刻度レベルを重大として評価しています。このスケールによって、深刻度を重大、高度、中度、低度として評価できます。

This is an independent assessment and you should evaluate its applicability to your own IT environment.

説明

An attacker with user level privileges could gain Remote Code Execution via a malicious image upload.

All versions of Hipchat Server up to and including 2.2.3 are affected by this vulnerability. This issue can be tracked here: 

HCPUB-2980 - Getting issue details... STATUS

修正

弊社ではこの問題に対応するために次の対応を行いました。

1. Released a patch that resolves this issue.
2. Released Hipchat Server version 2.2.4 that contains a fix for this issue.

必要なアクション

Option A: Upgrade (recommended):

 The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Option B: Patch

Run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

cd /home/admin
# download the patch
wget https://s3.amazonaws.com/hipchat-server-stable/utils/cve-2017-8080.tar.gz
# verify the checksum is 9b82ab29207552046f8848601c76432ab18cc697dac7cda20d7201e59e540fd7
sha256sum cve-2017-8080.tar.gz
# Extract the patch files
tar xf cve-2017-8080.tar.gz
# Execute the patch
cd /home/admin/CVE-2017-8080; sudo dont-blame-hipchat -c './install.sh'
# The output should end with "Patch applied"

Upgrade Hipchat Server to version 2.2.4 or higher.

Information on upgrading Hipchat Server can be found at Upgrading Hipchat Server.

How do I check which version of Hipchat Sever I am running?

You can check which version of Hipchat Server you are running by going to https://<your-server>/server_admin/upgrade or by using SSH to log in to your Hipchat Server and running cat /etc/hipchat-release

For a full description of the latest version of Hipchat Server, see the release notes.

サポート

このアドバイザリのメールを受信していないため今後の受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールにご登録ください。

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考