JetBrains TeamCity users are strongly recommended to install the latest update, as the developers report that they have fixed 26 vulnerabilities in the CI/CD solution. It is worth noting that no data about the problems is disclosed, and Rapid7 specialists have previously criticized JetBrains for this approach.
IN release notes version 2024.03 simply states that it has “fixed 26 security issues.” Typically, in such cases, at a minimum, the CVE identifier for each vulnerability is indicated, as well as the expected severity rating and a brief description of the nature of the bug.
Advertisement
However, JetBrains opposes premature disclosure of vulnerabilities, saying it gives administrators more time to install patches. At the beginning of this month, Rapid7 experts harshly criticized JetBrains developers for this approach.
Let us recall that at that time a number of critical bugs were discovered in TeamCity that allowed a remote, unauthenticated attacker to gain administrator rights and seize control of the server.
Rapid7 believed that the TeamCity developers were deliberately trying to hide information about these problems, and just a few hours after the patches were released, experts published a detailed analysis of the vulnerabilities and their possible exploitation. As a result, vulnerabilities quickly adopted extortion hack groups and other attackers.
It seems that after this incident the company decided to be even more careful and does not even disclose CVE identifiers.
Advertisement
“We are not disclosing details of security issues to avoid putting customers who continue to use previous patches and/or major versions of TeamCity at risk,” JetBrains wrote, without providing any further details.
It is also mentioned that version 2024.03 has a new feature for users of the on-premise version of TeamCity, thanks to which critical security updates will now be downloaded semi-automatically. The developers say that this will help “protect the system from emerging risks and quickly eliminate key vulnerabilities.”