[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

September 2016 - HipChat Plugin for various products - Critical Security Advisory



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the following advisory pages:

* Bitbucket Server - https://confluence.atlassian.com/x/0QkcMg
* Confluence - https://confluence.atlassian.com/x/yIGbMg
* JIRA - https://confluence.atlassian.com/x/w4GbMg

CVE ID:
* CVE-2016-6668 - The HipChat plugin for various products leaks the
secret key it uses to communicate with a linked HipChat instance.


Product: Bitbucket Server and the Atlassian Hipchat Integration Plugin
for Bitbucket Server.

Affected Atlassian Hipchat Integration Plugin versions:
6.26.0 <= version < 6.27.5
6.28.0 <= version < 7.3.7
7.4.0 <= version < 7.8.17

Affected Bitbucket Server product versions:
3.10.0 <= version < 4.4.4
4.5.0 <= version < 4.5.3
4.6.0 <= version < 4.6.4
4.7.0 <= version < 4.7.2
4.8.0 <= version < 4.8.4

Fixed Bitbucket Server product versions:

* for 4.4.x, Bitbucket Server 4.4.4 has been released with a fix for this issue.
* for 4.5.x, Bitbucket Server 4.5.3 has been released with a fix for this issue.
* for 4.6.x, Bitbucket Server 4.6.4 has been released with a fix for this issue.
* for 4.7.x, Bitbucket Server 4.7.2 has been released with a fix for this issue.
* for 4.8.x, Bitbucket Server 4.8.4 has been released with a fix for this issue.
* for 4.9.x, Bitbucket Server 4.9.0 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability
which was introduced in version 3.10.0 of Bitbucket Server. Versions
of Bitbucket Server starting with 3.10.0 before 4.4.3 (the fixed
version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for
4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before
4.7.3 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are
affected by this vulnerability.

Customers who have upgraded Bitbucket Server to version 4.4.4 or
version 4.5.3 or 4.6.4 or 4.7.2 or 4.8.4, 4.9.x are not affected.

Customers who have downloaded and installed Bitbucket Server >= 3.10.0
less than 4.4.3 (the fixed version for 4.4.x) or
who have downloaded and installed Bitbucket Server >= 4.5.0 less than
4.5.3 (the fixed version for 4.5.x) or who have downloaded and
installed Bitbucket Server >= 4.6.0 less than 4.6.4 (the fixed version
for 4.6.x) or who have downloaded and installed Bitbucket Server >=
4.7.0 less than 4.7.3 (the fixed version for 4.7.x) or who have
downloaded and installed Bitbucket Server >= 4.8.0 less than 4.8.4
(the fixed version for 4.8.x) please upgrade your Bitbucket Server
installations immediately to fix this vulnerability.


The HipChat plugin for various products leaks the secret key it uses
to communicate with a linked HipChat instance (CVE-2016-6668)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed
the secret key it used to communicate with a linked HipChat service in
various administration pages. For this vulnerability to affect your
Bitbucket Server instance you must have a HipChat integration
established. To exploit this issue, attackers must have Admin access
to a Bitbucket Server. Using the secret key attackers could gain full
control over a linked HipChat instance.

All versions of Atlassian Hipchat Integration Plugin for Bitbucket
Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from
7.4.0 before 7.8.17 are affected by this vulnerability.

All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed
version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for
4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before
4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are
affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/BSERV-9146 .


Mitigation:

If you are unable to upgrade your Bitbucket Server, then as a
temporary workaround, you can disable the Atlassian Hipchat
Integration Plugin.

Fix:

We have taken the following steps to address these issues:
* Released Bitbucket Server version 4.4.4 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.
* Released Bitbucket Server version 4.5.3 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.
* Released Bitbucket Server version 4.6.4 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.
* Released Bitbucket Server version 4.7.2 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.
* Released Bitbucket Server version 4.8.4 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.
* Released Bitbucket Server version 4.9.0 that updates the bundled
copy of the Atlassian Hipchat Integration Plugin to a fixed version.


Remediation:

Upgrade Bitbucket Server to version 4.9.0 or higher.

If you are running Bitbucket Server and cannot upgrade to Bitbucket
Server 4.9.0 or higher then upgrade to one of the fixed versions
listed below

* 4.4.4
* 4.5.3
* 4.6.4
* 4.7.2
* 4.8.4


Next, follow these steps to rotate the secret key.

You need admin permissions for both Bitbucket Server and HipChat to do this:

1. Log in to Bitbucket Server as a user with admin permissions and go
to <your-bitbucket-server-site>/plugins/servlet/hipchat/configure
2. Click Remove integration. This will sever the link and uninstall
the add-on in HipChat.
3. Once you land back on the HipChat Integration page, click Connect
HipChat. This will re-establish the link between HipChat and Bitbucket
Server with a new secret key.


For a full description of the latest version of Bitbucket Server, see
the release notes found at
https://confluence.atlassian.com/display/BitbucketServer/Releases. You
can download the latest version of Bitbucket Server from the download
centre found at https://www.atlassian.com/software/bitbucket/download.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.



Product: Confluence and the Confluence HipChat plugin.

Affected Confluence HipChat plugin versions:
6.26.0 <= version < 7.8.17


Affected Confluence product versions:
version >= 5.5.0 where the installed Confluence HipChat plugin version
is >= 6.26.0 and < 7.8.17
5.9.1 <= version < 5.9.14
5.10.0 <= version < 5.10.4

Fixed Confluence product versions:
* for 5.9.x, Confluence 5.9.14 has been released with a fix for this issue.
* for 5.10.0, Confluence 5.10.4 has been released with a fix for this issue.

Summary:
This advisory discloses a critical severity security vulnerability
which was introduced in version 5.9.1 of Confluence. Versions of
Confluence starting with 5.9.1 before 5.9.14 (the fixed version for
5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x)
are affected by this vulnerability.

Atlassian Cloud instances have already been upgraded to a version of
Confluence which does not have the issue described on this page.

Customers who have upgraded Confluence to version 5.9.14 or version
5.10.4 are not affected.

Customers who have downloaded and installed Confluence >= 5.5.0 and
have a version of the Confluence HipChat plugin >= 6.26.0 and less
than 7.8.17 installed or who have downloaded and installed Confluence
>= 5.9.1 less than 5.9.14 (the fixed version for 5.9.x) or who have
downloaded and installed Confluence >= 5.10.0 less than 5.10.4 (the
fixed version for 5.10.x) please upgrade the Confluence HipChat plugin
in your Confluence installations immediately to fix this
vulnerability.


The HipChat plugin for various products leaks the secret key it uses
to communicate with a linked HipChat instance (CVE-2016-6668)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

The Confluence HipChat plugin exposed the secret key it used to
communicate with a linked HipChat service in various pages. For this
vulnerability to affect your Confluence instance you must have a
HipChat integration established. To exploit this issue, attackers need
to have access to a Confluence account that has either:

* Create space permission (this is a default permission for all users)
* Space admin permission for any space
* Confluence Administrator or System Administrator permission

Using the secret key attackers can gain full control over a linked
HipChat instance.

All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17
are affected by this vulnerability.

All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version
for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for
5.10.x) are affected by this vulnerability. This issue can be tracked
here: https://jira.atlassian.com/browse/CONF-43695 .


Mitigation:

If you are unable to upgrade your Confluence server or the Confluence
HipChat plugin, then as a temporary workaround, you can disable or
uninstall the Confluence HipChat plugin and the Atlassian HipChat
Integration plugin in Confluence.

Fix:

We have taken the following steps to address these issues:
* Released Confluence version 5.9.14 that updates the bundled copy of
the Confluence HipChat plugin to a fixed version.
* Released Confluence version 5.10.4 that updates the bundled copy of
the Confluence HipChat plugin to a fixed version.
* Released Confluence HipChat plugin version 7.8.17 that contains a
fix for this issue.

Remediation:

Upgrade the Confluence HipChat plugin to version 7.8.17 or higher. For
instructions on how to update add-ons like the Confluence HipChat
plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons.
The HipChat for Confuence plugin marketplace entry can be found at
https://marketplace.atlassian.com/plugins/com.atlassian.labs.hipchat.confluence-hipchat/server/overview.

If you cannot upgrade the Confluence HipChat plugin to version 7.8.17
or higher then upgrade Confluence to version 5.10.4 or higher. If you
are running Confluence 5.9.x and cannot upgrade to Confluence 5.10.4
then upgrade to version 5.9.14.


Next, follow these steps to rotate the secret key.

You need admin permissions for both Confluence and HipChat to do this:

1. Log in to Confluence as a user with admin permissions and go to
<your-confluence-site>/plugins/servlet/hipchat/configure
2. Click Remove integration. This will sever the link and uninstall
the add-on in HipChat.
3. Once you land back on the HipChat Integration page, click Connect
HipChat. This will re-establish the link between HipChat and
Confluence with a new secret key.

For a full description of the latest version of Confluence, see the
release notes found at
https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes.
You can download the latest version of Confluence from the download
centre found at
https://www.atlassian.com/software/confluence/download.

Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.



Product: JIRA and the HipChat for JIRA plugin.

Affected HipChat for JIRA plugin versions:
6.26.0 <= version < 7.8.17

Affected JIRA product versions:
version >= 6.2.5 where the installed HipChat for JIRA plugin version
is >= 6.26.0 and < 7.8.17
6.4.8 <= version < 7.0.11
7.1.0 <= version < 7.1.10

Fixed JIRA product versions:

* for 7.0.x, JIRA  7.0.11 has been released with a fix for this issue.
* for 7.1.x, JIRA 7.1.10 has been released with a fix for this issue.
* for 7.2.x, JIRA 7.2.0 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability
which was introduced in version 6.4.8 of JIRA. Versions of JIRA
starting with 6.4.8 before 7.0.11 (the fixed version for 7.0.x), from
7.1.0 before 7.1.10 (the fixed version for 7.1.x) are affected by this
vulnerability.

Atlassian Cloud instances have already been upgraded to a version of
JIRA which does not have the issue described on this page.

Customers who have upgraded JIRA to version 7.0.11 or 7.1.10 or 7.2.0
are not affected.

Customers who have downloaded and installed JIRA >= 6.2.5 and have a
version of the HipChat for JIRA plugin >= 6.26.0 and less than 7.8.17
installed or who have downloaded and installed JIRA >= 6.4.8 less than
7.0.11 (the fixed version for 7.0.x) or who have downloaded and
installed JIRA >= 7.1.0 less than 7.1.10 (the fixed version for 7.1.x)
please upgrade the HipChat for JIRA plugin in your JIRA installations
immediately to fix this vulnerability.


The HipChat plugin for various products leaks the secret key it uses
to communicate with a linked HipChat instance (CVE-2016-6668)

Severity:

Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

The HipChat for JIRA plugin exposed the secret key it used to
communicate with a linked HipChat service in various pages. For this
vulnerability to affect your JIRA instance you must have a HipChat
integration established. To exploit this issue in JIRA versions 7.0.0
and higher, attackers need to have access to a JIRA account. In JIRA
versions before 7.0.0, such as 6.4.x, attackers only need access to
the JIRA web interface. Using the secret key attackers can gain full
control over a linked HipChat instance.

All versions of HipChat for JIRA plugin from 6.26.0 before 7.8.17 are
affected by this vulnerability.

All versions of JIRA from 6.4.8 before 7.0.11(the fixed version for
7.0.x) and from 7.1.0 before 7.1.10 (the fixed version for 7.1.x) are
affected by this vulnerability are affected by this vulnerability.
This issue can be tracked here:
https://jira.atlassian.com/browse/JRA-62496 .


Mitigation:

If you are unable to upgrade your JIRA server or the HipChat for JIRA
plugin, then as a temporary workaround, you can disable or uninstall
the HipChat for JIRA plugin in JIRA.


Fix:

We have taken the following steps to address this issue:
* Released JIRA version 7.0.11 that updates the bundled copy of the
HipChat for JIRA plugin to a fixed version.
* Released JIRA version 7.1.10 that updates the bundled copy of the
HipChat for JIRA plugin to a fixed version.
* Released JIRA version 7.2.0 that updates the bundled copy of the
HipChat for JIRA plugin to a fixed version.
* Released HipChat for JIRA plugin version 7.8.17 that contains a fix
for this issue.


Remediation:

Upgrade the HipChat for JIRA plugin to version 7.8.17 or higher. For
instructions on how to update add-ons like the HipChat for JIRA plugin
see https://confluence.atlassian.com/display/UPM/Updating+add-ons. The
HipChat for JIRA plugin marketplace entry can be found at
https://marketplace.atlassian.com/plugins/com.atlassian.labs.hipchat.hipchat-for-JIRA-plugin/server/overview.

If you cannot upgrade the HipChat For JIRA Plugin to version 7.8.17 or
higher then upgrade JIRA to version 7.2.0 or higher. If you are
running JIRA 7.1.x and cannot upgrade to JIRA 7.2.0 then upgrade to
version 7.1.10. If you are running JIRA 7.0.x and cannot upgrade to
JIRA 7.2.0 or 7.1.10 then upgrade to version 7.0.11.


Next, follow these steps to rotate the secret key.

You need admin permissions for both JIRA and HipChat to do this:

1. Log in to JIRA as a user with admin permissions and go to
<your-jira-site>/plugins/servlet/hipchat/configure
2. Click Remove integration. This will sever the link and uninstall
the add-on in HipChat.
3. Once you land back on the HipChat Integration page, click Connect
HipChat. This will re-establish the link between HipChat and JIRA with
a new secret key.

For a full description of the latest version of JIRA, see the release
notes found at https://confluence.atlassian.com/display/AdminJIRA/JIRA+7.2.x+platform+release+notes.
You can download the latest version of JIRA from the download centre
found at https://www.atlassian.com/software/jira/download.

Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.

- --
David Black / Security Engineer.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJX8uS2AAoJECQgl6K8UnagvG4P/RQ/ibZa64Ydwr73Zr9kkXx/
0kcU3vm5xVwqu1ydzYQsWBMUnfVfVPQm33MYJH9AoASWdUGCXPJeY0BRxdXiJXEI
xpMy91l22AgnSpm+9dSu1D68S0G2bOmaUStYhn6fmUiN/9JlAsz8Sd1iF6aS1qMn
8Iq2kfGk3hnxhpZaCzUniZPIerjxH3wziVjHNtc9VAb9pScQToIWcbp0sRHR4vt6
OV6tuZ5OPU4G3Wup47KB8AI0B1SRydI9Hjn/+/rnrHS8m9rFhZWAkJVtp4hadLwr
uZ9sYvOUTBT1/K1KAgePOtCgNrN7N+DuTKWJhd1qU9DQYPjBLkoNSTDhR+6tByiD
JSnSFsBPlEFGygPO5r1fBml/CB+OoQi/s9WoNKFK4LtmhUE06hFV93ux6zedyI/H
Hr3g4uXDxQIdsK8kqvNlwN3acy8CrBcHRRUinjhBWPNHUl39PVb6dwrUVg/KjfdE
FJzW+3MiQtFCe/vLCA3ln5fdlevPZPfltzDkcRoNMvM5vo2zzBqtqGmmDb3bxRwS
gHa4GDroDGO8Elnmo5NNTADJuwSscSsMc2uW+ptGtutpMghSKtJ/k5j/QG6sifl0
WV9WFwuijOiZ8EVoUSMWnDrVzUm7VInkKTNvtAD/kc5xXKmA4xkIlywFeQN0e+KL
gvckhFBeWynkE/TAcHLo
=7Gi0
-----END PGP SIGNATURE-----