-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the following advisory pages: * Bamboo - https://confluence.atlassian.com/x/_slDN * Crowd - https://confluence.atlassian.com/x/PMpDN * HipChat Server - https://confluence.atlassian.com/x/lj1LN CVE ID: * CVE-2017-5638. Product: Bamboo. Affected Bamboo product versions: 5.1.0 <= version < 5.14.5 5.15.0 <= version < 5.15.3 Fixed Bamboo product versions: * for 5.14.x, Bamboo 5.14.5 has been released with a fix for this issue. * for 5.15.x, Bamboo 5.15.3 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 5.1.0 of Bamboo. Versions of Bamboo starting with version 5.1.0 but less than 5.14.5 (the fixed version for 5.14.x), and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability. Atlassian Cloud instances have already been upgraded to a version of Bamboo that does not have the issue described in this email. Customers who have upgraded Bamboo to version 5.14.5 or 5.15.3 are not affected. Customers who have downloaded and installed Bamboo >= 5.1.0 but less than 5.14.5 (the fixed version for 5.14.x) or who have downloaded and installed Bamboo >= 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Remote code execution through Apache Struts 2 (CVE-2017-5638) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo used a version of Apache Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo without prior authentication. All versions of Bamboo starting with version 5.1.0 but less than 5.14.5 (the fixed version for 5.14.x), and from 5.15.0 but less than 5.15.3 (the fixed version for 5.15.x) are affected by this vulnerability. are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18242 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 5.14.5 * Bamboo version 5.15.3 Remediation: Upgrade Bamboo to version 5.15.3 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 5.14.x and cannot upgrade to 5.15.3, upgrade to version 5.14.5. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. CVE ID: * CVE-2017-5638. Product: Crowd. Affected Crowd product versions: 2.8.3 <= version < 2.9.7 2.10.1 <= version < 2.10.3 2.11.0 <= version < 2.11.1 Fixed Crowd product versions: * for 2.9.x, Crowd 2.9.7 has been released with a fix for this issue. * for 2.10.x, Crowd 2.10.3 has been released with a fix for this issue. * for 2.11.x, Crowd 2.11.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 2.8.3 of Crowd. Versions of Crowd starting with version 2.8.3 before 2.9.7 (the fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for 2.11.x) are affected by this vulnerability. Atlassian Cloud instances aren't affected by the issue described in this email. Customers who have upgraded Crowd to version 2.9.7 or 2.10.3 or 2.11.1 are not affected. Customers who have downloaded and installed Crowd >= 2.8.3 but less than 2.9.7 (the fixed version for 2.9.x) or who have downloaded and installed Crowd >= 2.10.1 but less than 2.10.3 (the fixed version for 2.10.x) or who have downloaded and installed Crowd >= 2.11.0 but less than 2.11.1 (the fixed version for 2.11.x) please upgrade your Crowd installations immediately to fix this vulnerability. Remote code execution through Apache Struts 2 (CVE-2017-5638) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: Crowd used a version of Apache Struts 2 that was vulnerable to CVE-2017-5638. Attackers can use this vulnerability to execute Java code of their choice without prior authentication on systems that have a vulnerable version of Crowd. All versions of Crowd starting with version 2.8.3 before 2.9.7 (the fixed version for 2.9.x), from version 2.10.1 before 2.10.3 (the fixed version for 2.10.x) and from version 2.11.0 before 2.11.1 (the fixed version for 2.11.x) are affected by this vulnerability. are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CWD-4879 . Fix: To address this issue, we've released the following versions containing a fix: * Crowd version 2.9.7 * Crowd version 2.10.3 * Crowd version 2.11.1 Remediation: Upgrade Crowd to version 2.11.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Crowd 2.9.x and cannot upgrade to 2.11.1, upgrade to version 2.9.7. If you are running Crowd 2.10.x and cannot upgrade to 2.11.1, upgrade to version 2.10.3. For a full description of the latest version of Crowd, see the release notes found at https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can download the latest version of Crowd from the download centre found at https://www.atlassian.com/software/crowd/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. CVE ID: * CVE-2017-5638. Product: HipChat Server. Affected HipChat Server product versions: version < 2.2.2 Fixed HipChat Server product versions: * HipChat Server 2.2.2 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security that affects all versions of HipChat Server before 2.2.2. HipChat Cloud does not have the issue described on this page. Customers who have upgraded HipChat Server to version 2.2.2 are not affected. Customers who have downloaded and installed HipChat Server less than 2.2.2 please upgrade your HipChat Server installations immediately to fix this vulnerability. Remote code execution through Apache Struts 2 (CVE-2017-5638) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: HipChat Server includes a version of Crowd that has a version of the Apache Struts 2 library that is vulnerable to CVE-2017-5638. Attackers who have network access to a HipChat Server instance running a vulnerable version of HipChat Server can use this vulnerability to execute Java code of their choice and to make http requests to local & internal services. All versions of HipChat Server before 2.2.2 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/HCPUB-2801 . Fix: To address this issue, we've released the following versions containing a fix: * HipChat Server version 2.2.2 Remediation: Upgrade HipChat Server to version 2.2.2 or higher. Information on upgrading HipChat Server can be found at https://confluence.atlassian.com/hc/upgrading-hipchat-server-606306347.html . How do I check which version of HipChat Sever I am running? You can check which version of HipChat Server you are running by going to https://your-server/server_admin/upgrade or by using ssh to log in to your HipChat Server and run cat /etc/hipchat-release. For a full description of the latest version of HipChat Server, see the release notes found at https://confluence.atlassian.com/display/hc/hipchat+server+Release+Notes . You can download the latest version of HipChat Server from the download centre found at https://www.hipchat.com/server/get-it. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJYx1gxFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 UnagQFsP/iFl/PacFX7wBT2M9B9QfRMw+DkbB7Z0o+vH0BxLhTJ393q7j/X8pLZy iDMP0Hu3u9nSijIeEKBXSTIhjmhmBWQRvZaGvgXILUF6+XhO+p8q7cLRJrd7SRSD zUFeQIEtU96ohe2k11uxamQlp0zpEiB0z9CJoNX3uDRgixGbYIyYk5ydb72M7+Ew M8g8a4pMXVFvVFYGBARMpLoKLq6vRWZZIi9PlRR9ccaySwJlD6OIGGfLiP4NC39S XSIhLgRBy9IGzoN6V7y8N0Xam/b7nqaiBkECArSn4ne5WQrFpDaEgWm+pInOy0yH I1kVE0Aqf9ubuopafBWJfBSEWU9FWx1lRCJ6eQKsQ6GA3tdiQ6yKSGYs9IHmyJom aY3jUkCBg24EsDrzuRENlv6C8LUEB5PG0h4+HR8LX/WKsJ1jKVoaTRDTQ2dy0TVc GLrdBbStq4dI9NMBhutuIAyqW5NO/2XRu2UwrDM3bpt+QJOqE/aVtmDqi0GhJ983 /EKsblvaxeDGwEyMtJcGETocW/f1O20b6lqL+anaFd6cAnK5EvPykhwGQ11oDw/R DGLVL6J3QSccYMa3l/XWMLG9tTrhA6vx8KHl+mP35mWwybSGjjYNJXxSELIPyVvQ J4ioXe226D6KcU/4LoFffONnvIHr5WBSfDM4Z7DVgYS6MPNYsCj7 =31Fr -----END PGP SIGNATURE-----