<img src="//bat.bing.com/action/0?ti=5129185&amp;Ver=2" height="0" width="0" style="display: none; visibility: hidden;">

Atlassian Security Update


Security Update from Atlassian

Atlassian has launched an update to three of its products in order to combat what it describes as ‘critically severe’ vulnerabilities. The vulnerabilities affect Atlassian’s JIRA, Confluence and Bitbucket Server users, and are linked with the products’ HipChat plugin components.

This plugin utilises a secret key to interact with HipChat services across a variety of different pages. Problems arose when it was discovered that the HipChat plugin was not protecting this secret code, and was instead leaking it to external viewers.

Malicious software users with access to JIRA, Confluence or Bitbucket accounts, and with the ability to create a space permission, a space admin permission for any space, and an Administrator or System Administrator position for JIRA, Confluence or Bitbucket, could exploit this vulnerability.

By exploiting the breach, malicious individuals can achieve full control over a HipChat instance, using the secret key leaked by the plugin. Updated versions of the HipChat plugin for JIRA, Confluence and Bitbucket – and of the software products themselves – have eliminated this risk but the publishers request that you follow a few simple steps to ensure the ongoing efficacy and security of your Atlassian products.

JIRA Software

Any customers utilising a copy of JIRA which is version 6.4.8 or above may be required to take steps to secure their software. However, customers who have upgraded already – either to version 7.0.11, 7.1.10 or 7.2 – will not be affected. Atlassian Cloud users will already have had their instances upgraded also, and so will not be affected by the breach.

Affected software:

JIRA: v6.4.8 to v7.0.11

v7.1.0 to v7.1.10

HipChat for JIRA plugin: v6.26.0 to v7.8.17

Security Process

The first thing users are recommended to do is to upgrade the copy of the software they are using. The software ranges mentioned above describe the extent of the copies affected by the vulnerability, so users must upgrade to beyond these upper reaches.

If a user is unable to download an update for the JIRA software, they are advised to download an update for the HipChat plugin for JIRA. Information on how to do that is included below.

Rotating the Security Key

To achieve full security, rotate the HipChat security key. This will require administrator permissions for JIRA and HipChat.

1. Use the administrator permissions to log into JIRA.

2. Go to <your-jira-site>/plugins/servlet/hipchat/configure

3. You will see an option to Remove Integration, which will uninstall the HipChat add-on. Click this.

4. Returning to the integration page, click the option to connect HipChat. A new link will be formed with a new secret key.


Confluence

A similarly severe security breach occurred for Confluence. In version 5.9.1 of Confluence, the fault was introduced, leading to vulnerability relating to the plugin’s secret key. Without proper attention, the breach could be exploited.

Affected software:

Confluence: v5.9.1 to v5.9.14

V6.26.0 to v7.8.17

Confluence HipChat Plugin: v6.26.0 to v7.8.17

Security Process

Customers are advised to upgrade the software they are using beyond the versions mentioned above. If this is attempted but a download is currently unavailable, the user should download a new version of the Confluence HipChat plugin, beyond the version mentioned above. Instructions for this are included below.

Rotating the Security Key

To achieve full security, rotate the HipChat security key. This will require administrator permissions for Confluence and HipChat.

1. Use the administrator permissions to log into Confluence.

2. Go to <your-confluence-site>/plugins/servlet/hipchat/configure

3. You will see an option to Remove Integration, which will uninstall the HipChat add-on. Click this.

4. Returning to the integration page, click the option to connect HipChat. A new link will be formed with a new secret key.


Bitbucket Server

The final Atlassian product affected by the security breach is Bitbucket Server. The versions of the server affected by the breach are a little more complicated than with the other two products. In this instance, the Atlassian HipChat Integration Plugin for Bitbucket versions 6.26.0 to 6.27.5 are affected, as are versions from 6.28.0 to 7.3.7 and from 7.4.0 to 7.8.17.

In addition, Bitbucket Server versions between 3.10.0 and 4.4.4 and from 4.5.0 to 4.5.3 are affected. Versions 4.6.0 to 4.6.4, 4.7.0 to 4.7.2 and 4.8.0 to 4.8.4 are all vulnerable.

Versions Affected

Bitbucket Server: v3.10.0 to v4.4.4

V4.5.0 to v4.5.3

V4.6.0 to v4.6.4

V4.7.0 to v4.7.2

V4.80 to v4.8.4

Atlassian HipChat Integration Plugin for Bitbucket : v6.26.0 to v6.27.5

v6.28.0 to v7.3.7

v7.4.0 to v7.8.17

Security Process

The first thing a user needs to do is to update the Bitbucket Software to a more recent version than any of those mentioned above. The security breach has been patched on these later pieces of software, and the vulnerability is eliminated. This may not always be possible, however; if this is the case, download a more recent version of the Atlassian HipChat Integration Plugin for Bitbucket. Details on how to do this are included below.

Ideally, the user should upgrade to Bitbucket Server 4.9.0. If this is not possible, upgrade instead to one of the following secured versions;

Rotating the Security Key

To achieve full security, rotate the HipChat security key. This will require administrator permissions for Bitbucket and HipChat.

1. Use the administrator permissions to log into BitBucket Server.

2. Go to <your-bitbucket-site>/plugins/servlet/hipchat/configure

3. You will see an option to Remove Integration, which will uninstall the HipChat add-on. Click this.

4. Returning to the integration page, click the option to connect HipChat. A new link will be formed with a new secret key.

Updating the Plugin

If a user is not able to download an updated version of one of the products, they are recommended to upgrade the HipChat plugin for the piece of software they are using. Information on which version to upgrade to is included under the product-specific headings above.

To download an updated version of the plugin, first log in to the software on an administrator’s account and click the administration option in the top right of the screen.

From here, select Manage Add-ons then change the filer so that the Action required values are displayed for each of the add-ons.

You should now see the relevant HipChat add-on. There will be an Update button beside this. Click Update to begin using the latest version of HipChat for your chosen product.


For full updates, you can read it from the Atlassian website for JIRA, Confluence and Bitbucket Server.


Remember that GLiNTECH can assist you when you need to upgrade your server. For more information regarding using the latest versions of Atlassian products, and on downloading the latest versions of plugins and add-ons, get in touch with a member of our team today.