[HCPUB-2903] Potential RCE in Imports - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Highest
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: HC Platform - HipChat Server
Labels:

Last commented by user?:
true
Symptom Severity:
Critical
Platform:
HipChat Server

Description

An attacker with Server Administrator level privileges could gain Remote Code Execution via a malicious file importation.

Customers who have downloaded and installed HipChat Server 1.0 or later, but before version 2.2.3.
Please run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

# Download the patch file
cd /home/admin
wget https://s3.amazonaws.com/hipchat-server-stable/utils/patch-cve-7357.tar.gz
# Check that the hash of the file matches e078df21acd7a17a41502693a2d7a9b4
md5sum patch-cve-7357.tar.gz
# Extract the patch files
tar xf patch-cve-7357.tar.gz
# Execute the patch
cd /home/admin/CVE7357; sudo dont-blame-hipchat -c './fix-cve-7357.sh'
# The output should end with "Patch applied"

Or upgrade your HipChat Server installations immediately to fix this vulnerability.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

relates to: CHAT-451 Loading...

(1 mentioned in, 1 relates to)

Activity

People

Assignee:: Unassigned

Reporter:: Matthew Hart

Participants:: Matthew Hart, Paul Buonopane

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Due:: 03/May/2017

Created:: 05/Apr/2017 3:21 AM

Updated:: 10/Apr/2018 4:31 AM

Resolved:: 13/Apr/2017 5:50 AM

Last commented:: 2 years, 18 weeks, 6 days ago