Atlassian HipChat Secret Key Disclosure

2016.10.07
Credit: David Black
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2016-6668
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the following advisory pages: * Bitbucket Server - https://confluence.atlassian.com/x/0QkcMg * Confluence - https://confluence.atlassian.com/x/yIGbMg * JIRA - https://confluence.atlassian.com/x/w4GbMg CVE ID: * CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance. Product: Bitbucket Server and the Atlassian Hipchat Integration Plugin for Bitbucket Server. Affected Atlassian Hipchat Integration Plugin versions: 6.26.0 <= version < 6.27.5 6.28.0 <= version < 7.3.7 7.4.0 <= version < 7.8.17 Affected Bitbucket Server product versions: 3.10.0 <= version < 4.4.4 4.5.0 <= version < 4.5.3 4.6.0 <= version < 4.6.4 4.7.0 <= version < 4.7.2 4.8.0 <= version < 4.8.4 Fixed Bitbucket Server product versions: * for 4.4.x, Bitbucket Server 4.4.4 has been released with a fix for this issue. * for 4.5.x, Bitbucket Server 4.5.3 has been released with a fix for this issue. * for 4.6.x, Bitbucket Server 4.6.4 has been released with a fix for this issue. * for 4.7.x, Bitbucket Server 4.7.2 has been released with a fix for this issue. * for 4.8.x, Bitbucket Server 4.8.4 has been released with a fix for this issue. * for 4.9.x, Bitbucket Server 4.9.0 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability which was introduced in version 3.10.0 of Bitbucket Server. Versions of Bitbucket Server starting with 3.10.0 before 4.4.3 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.3 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability. Customers who have upgraded Bitbucket Server to version 4.4.4 or version 4.5.3 or 4.6.4 or 4.7.2 or 4.8.4, 4.9.x are not affected. Customers who have downloaded and installed Bitbucket Server >= 3.10.0 less than 4.4.3 (the fixed version for 4.4.x) or who have downloaded and installed Bitbucket Server >= 4.5.0 less than 4.5.3 (the fixed version for 4.5.x) or who have downloaded and installed Bitbucket Server >= 4.6.0 less than 4.6.4 (the fixed version for 4.6.x) or who have downloaded and installed Bitbucket Server >= 4.7.0 less than 4.7.3 (the fixed version for 4.7.x) or who have downloaded and installed Bitbucket Server >= 4.8.0 less than 4.8.4 (the fixed version for 4.8.x) please upgrade your Bitbucket Server installations immediately to fix this vulnerability. The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance (CVE-2016-6668) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance. All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability. All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/BSERV-9146 . Mitigation: If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable the Atlassian Hipchat Integration Plugin. Fix: We have taken the following steps to address these issues: * Released Bitbucket Server version 4.4.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. * Released Bitbucket Server version 4.5.3 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. * Released Bitbucket Server version 4.6.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. * Released Bitbucket Server version 4.7.2 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. * Released Bitbucket Server version 4.8.4 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. * Released Bitbucket Server version 4.9.0 that updates the bundled copy of the Atlassian Hipchat Integration Plugin to a fixed version. Remediation: Upgrade Bitbucket Server to version 4.9.0 or higher. If you are running Bitbucket Server and cannot upgrade to Bitbucket Server 4.9.0 or higher then upgrade to one of the fixed versions listed below * 4.4.4 * 4.5.3 * 4.6.4 * 4.7.2 * 4.8.4 Next, follow these steps to rotate the secret key. You need admin permissions for both Bitbucket Server and HipChat to do this: 1. Log in to Bitbucket Server as a user with admin permissions and go to <your-bitbucket-server-site>/plugins/servlet/hipchat/configure 2. Click Remove integration. This will sever the link and uninstall the add-on in HipChat. 3. Once you land back on the HipChat Integration page, click Connect HipChat. This will re-establish the link between HipChat and Bitbucket Server with a new secret key. For a full description of the latest version of Bitbucket Server, see the release notes found at https://confluence.atlassian.com/display/BitbucketServer/Releases. You can download the latest version of Bitbucket Server from the download centre found at https://www.atlassian.com/software/bitbucket/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. Product: Confluence and the Confluence HipChat plugin. Affected Confluence HipChat plugin versions: 6.26.0 <= version < 7.8.17 Affected Confluence product versions: version >= 5.5.0 where the installed Confluence HipChat plugin version is >= 6.26.0 and < 7.8.17 5.9.1 <= version < 5.9.14 5.10.0 <= version < 5.10.4 Fixed Confluence product versions: * for 5.9.x, Confluence 5.9.14 has been released with a fix for this issue. * for 5.10.0, Confluence 5.10.4 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability which was introduced in version 5.9.1 of Confluence. Versions of Confluence starting with 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability. Atlassian Cloud instances have already been upgraded to a version of Confluence which does not have the issue described on this page. Customers who have upgraded Confluence to version 5.9.14 or version 5.10.4 are not affected. Customers who have downloaded and installed Confluence >= 5.5.0 and have a version of the Confluence HipChat plugin >= 6.26.0 and less than 7.8.17 installed or who have downloaded and installed Confluence >= 5.9.1 less than 5.9.14 (the fixed version for 5.9.x) or who have downloaded and installed Confluence >= 5.10.0 less than 5.10.4 (the fixed version for 5.10.x) please upgrade the Confluence HipChat plugin in your Confluence installations immediately to fix this vulnerability. The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance (CVE-2016-6668) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either: * Create space permission (this is a default permission for all users) * Space admin permission for any space * Confluence Administrator or System Administrator permission Using the secret key attackers can gain full control over a linked HipChat instance. All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/CONF-43695 . Mitigation: If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence. Fix: We have taken the following steps to address these issues: * Released Confluence version 5.9.14 that updates the bundled copy of the Confluence HipChat plugin to a fixed version. * Released Confluence version 5.10.4 that updates the bundled copy of the Confluence HipChat plugin to a fixed version. * Released Confluence HipChat plugin version 7.8.17 that contains a fix for this issue. Remediation: Upgrade the Confluence HipChat plugin to version 7.8.17 or higher. For instructions on how to update add-ons like the Confluence HipChat plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons. The HipChat for Confuence plugin marketplace entry can be found at https://marketplace.atlassian.com/plugins/com.atlassian.labs.hipchat.confluence-hipchat/server/overview. If you cannot upgrade the Confluence HipChat plugin to version 7.8.17 or higher then upgrade Confluence to version 5.10.4 or higher. If you are running Confluence 5.9.x and cannot upgrade to Confluence 5.10.4 then upgrade to version 5.9.14. Next, follow these steps to rotate the secret key. You need admin permissions for both Confluence and HipChat to do this: 1. Log in to Confluence as a user with admin permissions and go to <your-confluence-site>/plugins/servlet/hipchat/configure 2. Click Remove integration. This will sever the link and uninstall the add-on in HipChat. 3. Once you land back on the HipChat Integration page, click Connect HipChat. This will re-establish the link between HipChat and Confluence with a new secret key. For a full description of the latest version of Confluence, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence from the download centre found at https://www.atlassian.com/software/confluence/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. Product: JIRA and the HipChat for JIRA plugin. Affected HipChat for JIRA plugin versions: 6.26.0 <= version < 7.8.17 Affected JIRA product versions: version >= 6.2.5 where the installed HipChat for JIRA plugin version is >= 6.26.0 and < 7.8.17 6.4.8 <= version < 7.0.11 7.1.0 <= version < 7.1.10 Fixed JIRA product versions: * for 7.0.x, JIRA 7.0.11 has been released with a fix for this issue. * for 7.1.x, JIRA 7.1.10 has been released with a fix for this issue. * for 7.2.x, JIRA 7.2.0 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability which was introduced in version 6.4.8 of JIRA. Versions of JIRA starting with 6.4.8 before 7.0.11 (the fixed version for 7.0.x), from 7.1.0 before 7.1.10 (the fixed version for 7.1.x) are affected by this vulnerability. Atlassian Cloud instances have already been upgraded to a version of JIRA which does not have the issue described on this page. Customers who have upgraded JIRA to version 7.0.11 or 7.1.10 or 7.2.0 are not affected. Customers who have downloaded and installed JIRA >= 6.2.5 and have a version of the HipChat for JIRA plugin >= 6.26.0 and less than 7.8.17 installed or who have downloaded and installed JIRA >= 6.4.8 less than 7.0.11 (the fixed version for 7.0.x) or who have downloaded and installed JIRA >= 7.1.0 less than 7.1.10 (the fixed version for 7.1.x) please upgrade the HipChat for JIRA plugin in your JIRA installations immediately to fix this vulnerability. The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance (CVE-2016-6668) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to have access to a JIRA account. In JIRA versions before 7.0.0, such as 6.4.x, attackers only need access to the JIRA web interface. Using the secret key attackers can gain full control over a linked HipChat instance. All versions of HipChat for JIRA plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. All versions of JIRA from 6.4.8 before 7.0.11(the fixed version for 7.0.x) and from 7.1.0 before 7.1.10 (the fixed version for 7.1.x) are affected by this vulnerability are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/JRA-62496 . Mitigation: If you are unable to upgrade your JIRA server or the HipChat for JIRA plugin, then as a temporary workaround, you can disable or uninstall the HipChat for JIRA plugin in JIRA. Fix: We have taken the following steps to address this issue: * Released JIRA version 7.0.11 that updates the bundled copy of the HipChat for JIRA plugin to a fixed version. * Released JIRA version 7.1.10 that updates the bundled copy of the HipChat for JIRA plugin to a fixed version. * Released JIRA version 7.2.0 that updates the bundled copy of the HipChat for JIRA plugin to a fixed version. * Released HipChat for JIRA plugin version 7.8.17 that contains a fix for this issue. Remediation: Upgrade the HipChat for JIRA plugin to version 7.8.17 or higher. For instructions on how to update add-ons like the HipChat for JIRA plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons. The HipChat for JIRA plugin marketplace entry can be found at https://marketplace.atlassian.com/plugins/com.atlassian.labs.hipchat.hipchat-for-JIRA-plugin/server/overview. If you cannot upgrade the HipChat For JIRA Plugin to version 7.8.17 or higher then upgrade JIRA to version 7.2.0 or higher. If you are running JIRA 7.1.x and cannot upgrade to JIRA 7.2.0 then upgrade to version 7.1.10. If you are running JIRA 7.0.x and cannot upgrade to JIRA 7.2.0 or 7.1.10 then upgrade to version 7.0.11. Next, follow these steps to rotate the secret key. You need admin permissions for both JIRA and HipChat to do this: 1. Log in to JIRA as a user with admin permissions and go to <your-jira-site>/plugins/servlet/hipchat/configure 2. Click Remove integration. This will sever the link and uninstall the add-on in HipChat. 3. Once you land back on the HipChat Integration page, click Connect HipChat. This will re-establish the link between HipChat and JIRA with a new secret key. For a full description of the latest version of JIRA, see the release notes found at https://confluence.atlassian.com/display/AdminJIRA/JIRA+7.2.x+platform+release+notes. You can download the latest version of JIRA from the download centre found at https://www.atlassian.com/software/jira/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. - -- David Black / Security Engineer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJX8uS2AAoJECQgl6K8UnagvG4P/RQ/ibZa64Ydwr73Zr9kkXx/ 0kcU3vm5xVwqu1ydzYQsWBMUnfVfVPQm33MYJH9AoASWdUGCXPJeY0BRxdXiJXEI xpMy91l22AgnSpm+9dSu1D68S0G2bOmaUStYhn6fmUiN/9JlAsz8Sd1iF6aS1qMn 8Iq2kfGk3hnxhpZaCzUniZPIerjxH3wziVjHNtc9VAb9pScQToIWcbp0sRHR4vt6 OV6tuZ5OPU4G3Wup47KB8AI0B1SRydI9Hjn/+/rnrHS8m9rFhZWAkJVtp4hadLwr uZ9sYvOUTBT1/K1KAgePOtCgNrN7N+DuTKWJhd1qU9DQYPjBLkoNSTDhR+6tByiD JSnSFsBPlEFGygPO5r1fBml/CB+OoQi/s9WoNKFK4LtmhUE06hFV93ux6zedyI/H Hr3g4uXDxQIdsK8kqvNlwN3acy8CrBcHRRUinjhBWPNHUl39PVb6dwrUVg/KjfdE FJzW+3MiQtFCe/vLCA3ln5fdlevPZPfltzDkcRoNMvM5vo2zzBqtqGmmDb3bxRwS gHa4GDroDGO8Elnmo5NNTADJuwSscSsMc2uW+ptGtutpMghSKtJ/k5j/QG6sifl0 WV9WFwuijOiZ8EVoUSMWnDrVzUm7VInkKTNvtAD/kc5xXKmA4xkIlywFeQN0e+KL gvckhFBeWynkE/TAcHLo =7Gi0 -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top