Atlassian - March 2017 - Bamboo, Crowd and HipChat Server - Critical Security Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the following advisory pages:

* Bamboo - https://confluence.atlassian.com/x/_slDN
* Crowd - https://confluence.atlassian.com/x/PMpDN
* HipChat Server - https://confluence.atlassian.com/x/lj1LN


CVE ID:

* CVE-2017-5638.


Product: Bamboo.

Affected Bamboo product versions:

5.1.0 <= version < 5.14.5
5.15.0 <= version < 5.15.3


Fixed Bamboo product versions:

* for 5.14.x, Bamboo 5.14.5 has been released with a fix for this issue.
* for 5.15.x, Bamboo 5.15.3 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability
that was introduced in version 5.1.0 of Bamboo. Versions of Bamboo
starting with version 5.1.0 but less than 5.14.5 (the fixed version
for 5.14.x), and from 5.15.0 but less than 5.15.3 (the fixed version
for 5.15.x) are affected by this vulnerability.

Atlassian Cloud instances have already been upgraded to a version of
Bamboo that does not have the issue described in this email.

Customers who have upgraded Bamboo to version 5.14.5 or 5.15.3 are not affected.

Customers who have downloaded and installed Bamboo >= 5.1.0 but less
than 5.14.5 (the fixed version for 5.14.x) or who have downloaded and
installed Bamboo >= 5.15.0 but less than 5.15.3 (the fixed version for
5.15.x) please upgrade your Bamboo installations immediately to fix
this vulnerability.


Remote code execution through Apache Struts 2 (CVE-2017-5638)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

Bamboo used a version of Apache Struts 2 that was vulnerable to
CVE-2017-5638. Attackers can use this vulnerability to execute Java
code of their choice on systems that have a vulnerable version of
Bamboo without prior authentication.
All versions of Bamboo starting with version 5.1.0 but less than
5.14.5 (the fixed version for 5.14.x), and from 5.15.0 but less than
5.15.3 (the fixed version for 5.15.x) are affected by this
vulnerability. are affected by this vulnerability. This issue can be
tracked at: https://jira.atlassian.com/browse/BAM-18242 .


Fix:

To address this issue, weve released the following versions containing a fix:

* Bamboo version 5.14.5
* Bamboo version 5.15.3

Remediation:

Upgrade Bamboo to version 5.15.3 or higher.

The vulnerabilities and fix versions are described above. If affected,
you should upgrade to the latest version immediately.


If you are running Bamboo 5.14.x and cannot upgrade to 5.15.3, upgrade
to version 5.14.5.


For a full description of the latest version of Bamboo, see
the release notes found at
https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You
can download the latest version of Bamboo from the download centre
found at https://www.atlassian.com/software/bamboo/download.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.


CVE ID:

* CVE-2017-5638.


Product: Crowd.

Affected Crowd product versions:

2.8.3 <= version < 2.9.7
2.10.1 <= version < 2.10.3
2.11.0 <= version < 2.11.1


Fixed Crowd product versions:

* for 2.9.x, Crowd 2.9.7 has been released with a fix for this issue.
* for 2.10.x, Crowd 2.10.3 has been released with a fix for this issue.
* for 2.11.x, Crowd 2.11.1 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability
that was introduced in version 2.8.3 of Crowd. Versions of Crowd
starting with version 2.8.3 before 2.9.7 (the fixed version for
2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for
2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for
2.11.x) are affected by this vulnerability.

Atlassian Cloud instances arent affected by the issue described in this email.

Customers who have upgraded Crowd to version 2.9.7 or 2.10.3 or 2.11.1
are not affected.

Customers who have downloaded and installed Crowd >= 2.8.3 but less
than 2.9.7 (the fixed version for 2.9.x) or who have downloaded and
installed Crowd >= 2.10.1 but less than 2.10.3 (the fixed version for
2.10.x) or who have downloaded and installed Crowd >= 2.11.0 but less
than 2.11.1 (the fixed version for 2.11.x) please upgrade your Crowd
installations immediately to fix this vulnerability.


Remote code execution through Apache Struts 2 (CVE-2017-5638)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:

Crowd used a version of Apache Struts 2 that was vulnerable to
CVE-2017-5638. Attackers can use this vulnerability to execute Java
code of their choice without prior authentication on systems that have
a vulnerable version of Crowd.
All versions of Crowd starting with version 2.8.3 before 2.9.7 (the
fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed
version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed
version for 2.11.x) are affected by this vulnerability. are affected
by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CWD-4879 .


Fix:

To address this issue, weve released the following versions containing a fix:

* Crowd version 2.9.7
* Crowd version 2.10.3
* Crowd version 2.11.1

Remediation:

Upgrade Crowd to version 2.11.1 or higher.

The vulnerabilities and fix versions are described above. If affected,
you should upgrade to the latest version immediately.


If you are running Crowd 2.9.x and cannot upgrade to 2.11.1, upgrade
to version 2.9.7.
If you are running Crowd 2.10.x and cannot upgrade to 2.11.1, upgrade
to version 2.10.3.


For a full description of the latest version of Crowd, see
the release notes found at
https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes.
You can download the latest version of Crowd from the download centre
found at https://www.atlassian.com/software/crowd/download.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.


CVE ID:

* CVE-2017-5638.


Product: HipChat Server.

Affected HipChat Server product versions:

version < 2.2.2


Fixed HipChat Server product versions:

* HipChat Server 2.2.2 has been released with a fix for this issue.


Summary:
This advisory discloses a critical severity security that affects all
versions of HipChat Server before 2.2.2.

HipChat Cloud does not have the issue described on this page.

Customers who have upgraded HipChat Server to version 2.2.2 are not affected.

Customers who have downloaded and installed HipChat Server less than
2.2.2 please upgrade your HipChat Server installations immediately to
fix this vulnerability.


Remote code execution through Apache Struts 2 (CVE-2017-5638)

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low. This is an independent assessment and you should evaluate its
applicability to your own IT environment.


Description:


HipChat Server includes a version of Crowd that has a version of the
Apache Struts 2 library that is vulnerable to CVE-2017-5638. Attackers
who have network access to a HipChat Server instance running a
vulnerable version of HipChat Server can use this vulnerability to
execute Java code of their choice and to make http requests to local &
internal services.

All versions of HipChat Server before 2.2.2 are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/HCPUB-2801 .


Fix:

To address this issue, weve released the following versions containing a fix:

* HipChat Server version 2.2.2

Remediation:

Upgrade HipChat Server to version 2.2.2 or higher. Information on
upgrading HipChat Server can be found at
https://confluence.atlassian.com/hc/upgrading-hipchat-server-606306347.html
.

How do I check which version of HipChat Sever I am running?
You can check which version of HipChat Server you are running by going
to https://your-server/server_admin/upgrade or by using ssh to log in
to your HipChat Server and run cat /etc/hipchat-release.


For a full description of the latest version of HipChat Server, see
the release notes found at
https://confluence.atlassian.com/display/hc/hipchat+server+Release+Notes
. You can download the latest version of HipChat Server from the
download centre found at https://www.hipchat.com/server/get-it.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJYx1gxFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagQFsP/iFl/PacFX7wBT2M9B9QfRMw+DkbB7Z0o+vH0BxLhTJ393q7j/X8pLZy
iDMP0Hu3u9nSijIeEKBXSTIhjmhmBWQRvZaGvgXILUF6+XhO+p8q7cLRJrd7SRSD
zUFeQIEtU96ohe2k11uxamQlp0zpEiB0z9CJoNX3uDRgixGbYIyYk5ydb72M7+Ew
M8g8a4pMXVFvVFYGBARMpLoKLq6vRWZZIi9PlRR9ccaySwJlD6OIGGfLiP4NC39S
XSIhLgRBy9IGzoN6V7y8N0Xam/b7nqaiBkECArSn4ne5WQrFpDaEgWm+pInOy0yH
I1kVE0Aqf9ubuopafBWJfBSEWU9FWx1lRCJ6eQKsQ6GA3tdiQ6yKSGYs9IHmyJom
aY3jUkCBg24EsDrzuRENlv6C8LUEB5PG0h4+HR8LX/WKsJ1jKVoaTRDTQ2dy0TVc
GLrdBbStq4dI9NMBhutuIAyqW5NO/2XRu2UwrDM3bpt+QJOqE/aVtmDqi0GhJ983
/EKsblvaxeDGwEyMtJcGETocW/f1O20b6lqL+anaFd6cAnK5EvPykhwGQ11oDw/R
DGLVL6J3QSccYMa3l/XWMLG9tTrhA6vx8KHl+mP35mWwybSGjjYNJXxSELIPyVvQ
J4ioXe226D6KcU/4LoFffONnvIHr5WBSfDM4Z7DVgYS6MPNYsCj7
=31Fr
-----END PGP SIGNATURE-----