Hipchat Data Center Security Advisory 2017-11-22

Security Advisories for Hipchat Data Center

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

Remote code execution in Hipchat Server and Hipchat Data Center (CVE-2017-14585), and Hipchat for Mac desktop client (CVE-2017-14586)

要約

CVE-2017-14585 - Remote code execution in Hipchat Server and Data Center

CVE-2017-14586 - Client-side remote code execution in Hipchat for Mac desktop client

勧告のリリース日

 10 AM PST (Pacific Time, -7 hours)

製品
  • Hipchat Server
  • Hipchat Data Center
  • Hipchat for Mac desktop client

Affected Hipchat for Mac desktop client versions

  • 4.0 <= version <  4.30
Affected Hipchat Server versions
  • 2.2.0 <= version <  2.2.6 
Affected Hipchat Data Center versions
  • 3.0.0 <= version <  3.1.0 

Fixed Hipchat for Mac desktop client versions

  • 4.30
Fixed Hipchat Server versions
  • 2.2.6
Fixed Hipchat Data Center versions
  • 3.1.0
CVE ID(s)

CVE-2017-14585

CVE-2017-14586

Summary of advisory

This advisory discloses critical severity security vulnerabilities affecting the Hipchat for Mac desktop client and Hipchat Server & Data Center products. 

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface - CVE-2017-14585

脆弱性の概要

This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server  starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected. 

Customers who have upgraded Hipchat Server to version 2.2.6  are  not affected . Customers who have upgraded Hipchat Data Center to version 3.1.0 are not affected.

Please upgrade your Hipchat Server and Hipchat Data Center instances immediately to fix this vulnerability

Hipchat Server and Hipchat Data Center - Remote code execution via SSRF in 'admin' interface

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

説明

A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators.

Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 and versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3526 - Getting issue details... STATUS

謝辞

Atlassian would like to credit z0rg for reporting this issue to us.

修正

弊社ではこの問題に対応するために次の対応を行いました。

  1. Released Hipchat Server  version 2.2.6 which contains a fix for this issue.
  2. Released Hipchat Data Center version 3.1.0 which contains a fix for this issue.

必要なアクション

Remember to create a backup before you upgrade, either with a virtualization snapshot or using a data backup/export. See Back up and restore Hipchat Server for more details.

Upgrade (recommended)

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat Server to version 2.2.6 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Server, see the release notes. You can download the latest version of Hipchat Server here.

Upgrade Hipchat Data Center to version 3.1.0 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat Data Center, see the release notes. You can download the latest version of Hipchat Data Center here.

問題の軽減策

Atlassian recommends that you upgrade to the latest version of Hipchat Server and Hipchat Data Center.

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing - CVE-2017-14586

脆弱性の概要

This issue was introduced in version 4.0 of the Hipchat for Mac desktop client. Versions of Hipchat for Mac desktop client starting with 4.0 before 4.30 are affected by this vulnerability. 

Customers who have upgraded Hipchat for Mac desktop client to version 4.30  are  not affected .

Please upgrade your Hipchat for Mac desktop client installations immediately to fix this vulnerability.

Hipchat for Mac desktop client - Client-side remote code execution via video link parsing

重大度

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment.

説明

The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing.

 Hipchat for Mac desktop clients at or above version 4.0 and before version 4.30 are affected by this vulnerability. This issue can be tracked here:  HCPUB-3473 - Getting issue details... STATUS

謝辞

Atlassian would like to credit Matt Austin (@mattaustin) for reporting this issue to us.

修正

弊社ではこの問題に対応するために次の対応を行いました。

  1. Released Hipchat for Mac desktop client version 4.30 that contains a fix for this issue.

必要なアクション

Upgrade (recommended)

The vulnerability and fix version are described in the description section above. Atlassian recommends that you upgrade to the latest version.

Upgrade Hipchat for Mac desktop client to version 4.30 or later.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Hipchat for Mac desktop client, see the release notes. You can download the latest version of Hipchat for Mac desktop client here.

問題の軽減策

Atlassian recommends that you upgrade to the latest version of Hipchat's Desktop Mac client.

サポート

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。

参考

セキュリティ バグの修正ポリシー

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for Jira and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

セキュリティの問題の重大度レベルアトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。
サポート終了ポリシー サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 
最終更新日 2017 年 11 月 30 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.