[HCPUB-2801] Apache Struts 2 Remote Code Execution (CVE-2017-5638) Created: 09/Mar/2017  Updated: 30/Aug/2017  Resolved: 10/Mar/2017

Status: Closed
Project: HipChat
Component/s: Other
Affects Version/s: None
Fix Version/s: HCS 2.2.2

Type: Bug Priority: Highest
Reporter: Alek Amrani Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: CVE-2017-5638, advisory, advisory-released, injection, rce, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Last commented: 36 weeks, 6 days ago
Last commented by user?: true
Symptom Severity: Critical
Platform: HipChat Server

 Description   

Description

HipChat Server has a version of the Apache Struts2 that is vulnerable to remote network attackers who can potentially execute code on vulnerable versions of HipChat Server to:

  • Execute remote code of their choice
  • Make http requests to local and internal services

To exploit this issue, attackers need to have network access to a HipChat Server instance.

Affected versions
All versions of HipChat Server before version 2.2.2 are affected by this vulnerability.
                                                               
Fix

We have taken the following steps to address these issues:

  • Released a patch for customers.
  • Released HipChat Server version 2.2.2 that contains a fix for the issue.

For additional details see the full advisory.



 Comments   
Comment by John Pfeiffer [ 10/Mar/2017 ]

Fixed in the latest release:

https://confluence.atlassian.com/hc/hipchat-server-release-notes-608731400.html/

Details of the security advisory:

https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-03-09-877346198.html

 

Generated at Fri Nov 24 20:28:02 UTC 2017 using JIRA 7.6.0-m0129#76001-sha1:1a6e0e8c245893d5a5e460cd20f41de3eb03152d.