lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM5mL26TaBA6fCO3uawdE_3YZq-2B4rykLhuN-cLvCZ=QNAbyg@mail.gmail.com>
Date: Thu, 13 Apr 2017 11:14:13 +1000
From: Matthew Hart <mhart@...assian.com>
To: bugtraq@...urityfocus.com
Subject: April 2017 - HipChat Server Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE ID:

* CVE-2017-7357.


Product: Hipchat Server.

Affected Hipchat Server product versions:
All versions < 2.2.3


Fixed Hipchat Server product versions:
2.2.3



Summary:
This advisory discloses a critical severity security vulnerability
that was introduced in version 1.0 of Hipchat Server. Versions of
Hipchat Server starting with versions of Hipchat Server from 1.0 but
less than 2.2.3 (the fixed version), are affected by this
vulnerability. are affected by this vulnerability.

HipChat Cloud instances aren't affected by the issue described in this email.

Customers who have upgraded Hipchat Server to version 2.2.3 are not affected.

Customers who have downloaded and installed any version less than
2.2.3 please upgrade your Hipchat Server installations immediately to
fix this vulnerability.


Remote Code Execution via Administrative Imports (CVE-2017-7357)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

An attacker with Server Administrator level privileges could gain
Remote Code Execution via a malicious file importation.
All versions of Hipchat Server starting with versions of Hipchat
Server from 1.0 but less than 2.2.3 (the fixed version), are affected
by this vulnerability. are affected by this vulnerability. are
affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/HCPUB-2903 .


Fix:

To address this issue, we've released the following versions containing a fix:

* Hipchat Server version 2.2.3

Remediation:

Upgrade Hipchat Server to version 2.2.3 or higher.

The vulnerabilities and fix versions are described above. If affected,
you should upgrade to the latest version immediately.




For a full description of the latest version of Hipchat Server, see
the release notes found at
https://confluence.atlassian.com/display/hc/hipchat+server+Release+Notes.
You can download the latest version of Hipchat Server from the
download centre found at https://www.hipchat.com/server/get-it.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJY7s+IAAoJECQgl6K8UnagCzYP/jp7PVaYUFs0Kr1EVeXPWojS
tdsgvoAWyOCpmAvozQKflRHKQHDv2Kaw7x4fwQgGH2omWUcfECFNv3Xg679ormRJ
9kTWoEWmO6eZHy89qdpnsPmveHIloiIHoLui5ryjC+1zqE/EC6IxrqmLyIi3eYyF
Qgr3cymuVh6xjpt3lvtZACtOheI9QYxikGb2D6RzMZKP5tRfVBz9wvhKnqUYhpJq
UTWXw5St3SDVfw8B3YVJy4penp9EXi/+aia3XZ91hzQYqwmGtUnbLwbghysdus+Y
sFEqV5EB1MG0ycwaB51lVPzSukmANeM9vnd2cwO5wdiwPBdME6NoxSpM1IT73WqP
I3I7mUvJbPaaKFK78qX+045TthNef7lzbEuyPy6jISHVLRu+jA2JD+DMb67Kragx
cw0O+/imh+SlVqBjdyxKpJxQdqZ8l6izDJfBHXoimlpWcq46c6oZ1EOdR9XOhnkv
BCF+uhBrOBs7iewd+nimeiw5BsX5e21UZlm7dMSmUqP1X/kD6iTvJL0k2fDtySAm
ZbLIKyhxsakAgPzvxAV0eab5jtVoalmGzJomJGfdmIGu8VI5Pcc0YhJM/YAvFki0
34xRSWZAUCUraWwKCpQL8peGMa8Xp8OlHzhVb/v2HTLbGZst+Zal1JaaleJtAyl9
ur1lgl0vPAU3iSjKmMRL
=aGWJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ