-
Bug
-
Resolution: Fixed
-
Highest
-
3.10.0, 4.5.1, 4.6.0, 4.7.1, 4.8.0
-
Severity 1 - Critical
-
The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance.
Affected versions:
- All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability.
- All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability.
Fix:
- Bitbucket Server 4.9.1 is available for download from https://www.atlassian.com/software/bitbucket/download.
- Bitbucket Server 4.8.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.7.2 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html. - Bitbucket Server 4.6.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
- Bitbucket Server 4.5.3 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
- Bitbucket Server 4.4.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
If you are running Stash 3.11 then download the JARs from this issue and install them using the instructions for installing add-ons using UPM found at https://confluence.atlassian.com/display/UPM/Installing+add-ons#Installingadd-ons-Installingbyfileupload after which you must restart Stash. Version 6.27.5 (which contains a fix) of the Atlassian Hipchat Integration Plugin should be installed.
Risk Mitigation:
- If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable or uninstall the Atlassian Hipchat Integration Plugin.
For additional details see the full advisory.
- relates to
-
-
- Closed
-
-
-
- Closed
-
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[BSERV-9146] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.
Do bitbucket cloud users need to rotate their secret keys too?
The SHA-256 checksums hashes of the attached jars that are intended to be used with Stash 3.11 should match the following:
a3a81eb445d2e018720499c3d3c62324cf718fcd0b0f33f53f77667a2f8d952f base-hipchat-integration-plugin-6.27.5.jar bb72a88a9d8cc8849487e7653834bc28ddae37b4abf9a1a88126142fbfa4c0d3 base-hipchat-integration-plugin-api-6.27.5.jar 4cd2ae8d3dff89973ec8ceee73031c9d1c224605357c801e26ee9930f1a03ad3 stash-hipchat-integration-plugin-6.27.5.jar
Yes, as per the full advisory we suggest rotating keys.