The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages.

HipChat for JIRA plugin - leaks secret key - HC-32766

Note: As of  September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.

Date of Advisory:  21 Sep 2016 10 AM PDT  (Pacific Time, -7 hours)

CVE ID: 

*   CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Product: JIRA and the HipChat for JIRA plugin.

Affected HipChat for JIRA plugin versions:

*   6.26.0 <= version < 7.8.17

Affected JIRA product versions:

*   version >= 6.2.5 where the installed HipChat for JIRA plugin version is >= 6.26.0 and < 7.8.17
*   6.4.8 <= version < 7.0.11
*   7.1.0 <= version < 7.1.10

Fixed JIRA product versions:

*   for 7.0.x, JIRA  **7.0.11** has been released with a fix for this issue.
*   for 7.1.x, JIRA **7.1.10** has been released with a fix for this issue.
*   for 7.2.x, JIRA **7.2.0** has been released with a fix for this issue.

****Summary of Vulnerability****

This advisory discloses a **critical severity** security vulnerability which was introduced in version 6.4.8 of JIRA. Versions of JIRA starting with 6.4.8 before **7.0.11** (the fixed version for 7.0.x), from **7.1.0** before **7.1.10** (the fixed version for 7.1.x) are affected by this vulnerability.

**Atlassian Cloud** instances have **already been upgraded** to a version of JIRA which does **not** have the issue described on this page.

**Customers who have upgraded JIRA to version **7.0.11 or** 7.1.10 or **7.2.0**** **are** **not affected****.**

**Customers who have** **downloaded and installed JIRA >= 6.2.5 and have a version of the HipChat for JIRA plugin >= **6.26.0 and less than 7.8.17 installed.****

**Customers who have downloaded and installed **JIRA** >= **6.4.8** less than 7.0.11 (the fixed version for 7.0.x)**

**Customers who have downloaded and installed **JIRA** >= 7.1.0 less than 7.1.10 (the fixed version for 7.1.x)**

Please **upgrade** the **HipChat for JIRA plugin** in your **JIRA** installations **immediately** to fix this vulnerability.

**The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance (CVE-2016-6668)**

**Severity**

Atlassian rates the severity level of this vulnerability as **critical**, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

**Description**

The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to have access to a JIRA account. In JIRA versions before 7.0.0, such as 6.4.x, attackers only need access to the JIRA web interface. Using the secret key attackers can gain full control over a linked HipChat instance.

All versions of **HipChat for JIRA plugin** from 6.26.0 before **7.8.17** are affected by this vulnerability. 

All versions of **JIRA** from 6.4.8 before **7.0.11**(the fixed version for 7.0.x) and from **7.1.0** before **7.1.10** (the fixed version for 7.1.x) are affected by this vulnerability are affected by this vulnerability. This issue can be tracked here:  JRA-62496 - Getting issue details... STATUS

**Fix**

We have taken the following steps to address this issue:

1.  Released JIRA version **7.0.11** that updates the bundled copy of the **HipChat for JIRA plugin** to a fixed version.
2.  Released JIRA version **7.1.10** that updates the bundled copy of the **HipChat for JIRA plugin** to a fixed version.
3.  Released JIRA version **7.2.0** that updates the bundled copy of the **HipChat for JIRA plugin** to a fixed version.
4.  Released **HipChat for JIRA plugin version 7.8.17** that contains a fix for this issue.

****What You Need to Do****

**Upgrade (recommended)**

The vulnerabilities and fix versions are described in the description section above. Atlassian recommends that you upgrade to the latest version.

**Upgrade the HipChat for JIRA plugin**

Upgrade the HipChat for JIRA plugin to version **7.8.17 or higher**. For instructions on how to update add-ons like the **HipChat for JIRA plugin** see https://confluence.atlassian.com/display/UPM/Updating+add-ons. The HipChat for JIRA plugin marketplace entry can be found at https://marketplace.atlassian.com/plugins/com.atlassian.labs.hipchat.hipchat-for-JIRA-plugin/server/overview.

**If you cannot upgrade the HipChat For JIRA Plugin to version 7.8.17 or higher then** **upgrade JIRA to version 7.2.0** **or higher.**

If you are running **JIRA 7.1.x** **and** **cannot upgrade to** **JIRA** **7.2.0** **then** **upgrade to version 7.1.10.**

If you are running **JIRA 7.0.x** **and** **cannot upgrade to** **JIRA** **7.2.0 or 7.1.10** **then** **upgrade to version 7.0.11.**

**Next, follow these steps to **rotate the secret key.** **

You need admin permissions for both JIRA and HipChat to do this: 

1.  Log in to JIRA as a user with admin permissions and go to <your-jira-site>/plugins/servlet/hipchat/configure
2.  Click **_Remove integration_**_._ This will sever the link and uninstall the add-on in HipChat.
3.  Once you land back on the HipChat Integration page, click **_Connect HipChat_**. This will re-establish the link between HipChat and JIRA with a new secret key.

For a full description of the latest version of JIRA, see the release notes. You can download the latest version of JIRA from the download centre.

****Mitigation****

If you are unable to upgrade your JIRA server or the HipChat for JIRA plugin, then as a **temporary workaround**, you can disable or uninstall the **HipChat for JIRA plugin** in JIRA.

**Support**

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

****References****

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

**Binary patches will no longer be released.** 

 Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

 End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details.

CVE-2016-6668: JIRA and HipChat for JIRA plugin Security Advisory 2016-09-21 | Atlassian Support

The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.

This advisory discloses a **critical** security vulnerability that exists in all versions of Confluence up to and including 4.1.9.

*   **Customers** **who have downloaded and installed Confluence** should upgrade their existing Confluence installations to fix this vulnerability.  
*   **Enterprise Hosted customers** need to request an upgrade by raising a support request at http://support.atlassian.com in the "Enterprise Hosting Support" project.
*   **JIRA Studio and Atlassian OnDemand customers** are not affected by any of the issues described in this advisory.

Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.   

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

**In this advisory:**

**Critical XML Parsing Vulnerability****Severity**

Atlassian rates the severity level of this vulnerability as **crit****ical**, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

**Description**

We have identified and fixed a vulnerability in Confluence that results from the way third-party XML parsers are used in Confluence. This vulnerability allows an attacker to:

*   execute denial of service attacks against the Confluence server, or  
    
*   read all local files readable to the system user under which Confluence runs.

The attacker does not need to have an account with the affected Confluence instance.

All versions of Confluence **up to and including 4.1.9** are affected by this vulnerability. This issue can be tracked here: CONF-25077 - Getting issue details... STATUS

The Gliffy for Confluence plugin is also vulnerable to this exploit. If you are using the Gliffy plugin for Confluence with _any_ version of Confluence, you will need to upgrade it (see 'Fix' section below) or disable it.

**Risk Mitigation**

We recommend that you upgrade your Confluence installation to fix this vulnerability.

Alternatively, if you are not in a position to upgrade immediately, you should do **all** of the following until you can upgrade. Please note, these measures will only limit the impact of the vulnerability, they will not mitigate it completely.  

*   Disable access to the SOAP and XML-RPC APIs, if these remote APIs are not required. Note, remote API access is disabled by default. See enabling remote APIs for instructions.  
    Disable the following plugins/plugin modules (see Disabling and enabling apps):  
    *   Office Connector plugin
    *   JUnitReport macro module of the confluence-advanced-macros plugin (called "Advanced Macros" in the interface)  
        
    *   confluence-jira3-macros plugin (called "JIRA Macros" in the interface)  
        
    *   WebDAV
*   Disable public access (such as anonymous access  and public signup) to Confluence until you have upgraded.
*   Ensure that your Confluence system user is restricted as described in best practices for configuring Confluence security.

**Fix**

**Upgrade** 

1.  Upgrade to Confluence 4.2 or later which fixes this vulnerability. For a full description of this release, see the Confluence 4.2 Release Notes. The following releases have also been made available to fix these issues in older Confluence versions.  You can download these versions of Confluence from the download centre.   
      
    *   Confluence 4.1.10 for Confluence 4.1 
    *   Confluence 4.0.7 for Confluence 4.0 
    *   Confluence 3.5.17 for Confluence 3.5
2.   Upgrade the following Confluence third-party plugins, if you are using them. The table below describes which version of the plugin you should upgrade to, depending on your Confluence version. See Updating Add-ons for instructions on how to update a plugin. 
    
    Plugin
    
    Confluence 4.2
    
    Confluence 4.1
    
    Confluence 4.0
    
    Confluence 3.5
    
    Gliffy plugin for Confluence
    
    4.2
    
    4.2
    
    4.2
    
    4.2
    

**Patches**  

There are no patches available for this vulnerability. Due to the extent of the changes required to fix the vulnerability, it is not possible to provide patches that resolve the issue without compromising the reliability of Confluence. You must upgrade to fix this vulnerability.

CVE-2012-2928: Confluence Security Advisory 2012-05-17 | Confluence Data Center and Server 7.17

The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole."

Tag

#jira