Uploaded image for project: 'HipChat'
  1. HipChat
  2. HCPUB-2903

Potential RCE in Imports

    XMLWordPrintable

    Details

    • Symptom Severity:
      Severity 1 - Critical

      Description

      An attacker with Server Administrator level privileges could gain Remote Code Execution via a malicious file importation.

      Customers who have downloaded and installed HipChat Server 1.0 or later, but before version 2.2.3.
      Please run the following patch during a maintenance window (it will restart all the services and disconnect all the users)

      # Download the patch file
      cd /home/admin
      wget https://s3.amazonaws.com/hipchat-server-stable/utils/patch-cve-7357.tar.gz
      # Check that the hash of the file matches e078df21acd7a17a41502693a2d7a9b4
      md5sum patch-cve-7357.tar.gz
      # Extract the patch files
      tar xf patch-cve-7357.tar.gz
      # Execute the patch
      cd /home/admin/CVE7357; sudo dont-blame-hipchat -c './fix-cve-7357.sh'
      # The output should end with "Patch applied"
      

      Or upgrade your HipChat Server installations immediately to fix this vulnerability.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mhart@atlassian.com Matthew Hart
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: