Hipchat for Mac desktop client versions prior to 4.30 suffer from a remote code execution vulnerability.
bc9f76c16c2234a3266f91910a0c367f-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This email refers to the advisory found at
https://confluence.atlassian.com/x/NXEGO .
CVE ID:
* CVE-2017-14586.
Product: Hipchat for Mac desktop client.
Affected Hipchat for Mac desktop client product versions:
4.0 <= version < 4.30
Fixed Hipchat for Mac desktop client product versions:
* Hipchat for Mac desktop client 4.30 has been released with a fix for this
issue.
Summary:
This advisory discloses a critical severity security vulnerability that was
introduced in version 4.0 of Hipchat for Mac desktop client. Versions of Hipchat
for Mac desktop client starting with versions of Hipchat for Mac desktop client
from 4.0 but less than 4.30 (the fixed version) are affected by this
vulnerability.
Customers who have upgraded Hipchat for Mac desktop client to version 4.30 are
not affected.
Customers who have downloaded and installed Hipchat for Mac desktop client >=
4.0 but less than 4.30 please upgrade your Hipchat for Mac desktop client
installations immediately to fix this vulnerability.
Remote code execution in HipChat for Mac desktop client - CVE-2017-14586
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
The Hipchat for Mac desktop client is vulnerable to client-side remote code
execution via video call link parsing.
Versions of Hipchat for Mac desktop client starting with versions of Hipchat for
Mac desktop client from 4.0 but less than 4.30 (the fixed version) are affected
by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/HCPUB-3473? .
Fix:
To address this issue, we've released the following versions containing a fix:
* Hipchat for Mac desktop client version 4.30
Remediation:
Upgrade Hipchat for Mac desktop client to version 4.30 or higher.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
For a full description of the latest version of Hipchat for Mac desktop client,
see the release notes found at
https://www.hipchat.com/release_notes/mac. You can
download the latest version of Hipchat for Mac desktop client from the download
centre found at https://www.hipchat.com/downloads#mac.
Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJaF5WmAAoJECQgl6K8Unag2T8P/3ogJA7Q5WpkwsVpxja4eX+U
5NUpA0wGOCJfEceZfLDnEWOcL9wh3VAqDBHojZlV+kogYMACKItuf+T9Hh6q6gqi
esJykgAumYi0gNmC1dbk801tb4VK59K4tgtzFS523ARy1/uglNah0JlPEP89BOoq
n7jwb5Ox2Hb+RYuktvAnZQdfxV6151ayeqB9GFpGr5w4xDh3HwdaOO28aVK0lfvF
KjA7e0NT7k7Ghf6cQOHcLGcGfrle5SmMmz5iQQm41fUY1nnfFRVpBOVTZEZTGe+8
8maKgzK2f5IdAwcqMGgkvGn3b7BkoG0da4M5QRdGx3gvrNWPRuU4rf4S5Og0L8OE
ABR0ygi7NJy4sY69KTl/I9Y30nW9I9xiXGoaTus+iWA48j3HH6YPaI/vsZp+hEc7
O5EPLcdQVM6JUofzmF0pDHjaupliXNsXJllEf2fn1rAvkN67mCE/h3QJVkSrQPtG
Dv6bwpHxfGIHWSEV0+Rxenl7AfM5phb4ymTsyWWuG9D9lOOKO6JVrYZsOmT9n22v
FPPUAza1Lin2CuloGuM9h4Od4ZVkQlTtd3QKRkrMJWxzjh23/0xIfFa/wFTtkktm
uKZF9gyHzEOVB2CuHIexLZLAePgmKfiPzkQ626I0rHWU57QeoAcFX5QUNCNmM3YC
wM8G/9hq+2ED7zClXRLQ
=RCIT
-----END PGP SIGNATURE-----