Uploaded image for project: 'HipChat'
  1. HipChat
  2. HCPUB-2903

Potential RCE in Imports

    XMLWordPrintable

    Details

    • Last commented by user?:
      true
    • Symptom Severity:
      Critical
    • Platform:
      HipChat Server

      Description

      An attacker with Server Administrator level privileges could gain Remote Code Execution via a malicious file importation.

      Customers who have downloaded and installed HipChat Server 1.0 or later, but before version 2.2.3.
      Please run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

      # Download the patch file
      cd /home/admin
      wget https://s3.amazonaws.com/hipchat-server-stable/utils/patch-cve-7357.tar.gz
      # Check that the hash of the file matches e078df21acd7a17a41502693a2d7a9b4
      md5sum patch-cve-7357.tar.gz
      # Extract the patch files
      tar xf patch-cve-7357.tar.gz
      # Execute the patch
      cd /home/admin/CVE7357; sudo dont-blame-hipchat -c './fix-cve-7357.sh'
      # The output should end with "Patch applied"
      

      Or upgrade your HipChat Server installations immediately to fix this vulnerability.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved:
                  Last commented:
                  2 years, 14 weeks, 4 days ago