JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat
Vendor takes hardline approach to patch disclosure to new levels
Updated JetBrains TeamCity users are urged to apply the latest version upgrade this week after the vendor disclosed 26 new security issues in the CI/CD web application.
However, JetBrains declined to release details. The release notes for version 2024.03 simply state "26 security problems have been fixed."
Typically, security advisories detail at least the CVE tracking ID for each vulnerability, as well as the estimated severity rating and a brief description of the location and nature of the vulnerability.
JetBrains has remained staunch against pre-emptively disclosing security issues, though, following a brief disclosure drama involving Rapid7 earlier this month.
Rapid7 called out JetBrains for allegedly silently patching a pair of vulnerabilities. JetBrains said it was allowing time for admins to apply patches before going public with the details, whereas Rapid7 seemingly didn't believe it, so published what was essentially a how-to guide for exploiting them just a few hours after patches were released. The move led to exploitation.
Perhaps learning from this incident, JetBrains is seemingly erring on the side of extreme caution by withholding all information.
Giving his interpretation of JetBrains' approach, Elliott Wilkes, CTO at Advanced Cyber Defence Systems, said: "This seems surprisingly opaque given the number of vulnerabilities here.
"There are a few factors that are possibly affecting their decision to patch these issues without any explanation or detail. First, earlier in March TeamCity had two critical vulnerabilities that were exploited by ransomware teams. They were pretty significant, so much so that they very quickly went on the CISA list of Known Exploited Vulnerabilities (KEV).
"The TeamCity/JetBrains group might be using extra caution right now considering the ransomware attacks on their customers that came to light earlier this month. It is also possible these are somehow related issues, in which case they would be obliged not to disclose more information during ongoing incident response and ransomware response operations. That said, 26 issues is a lot and I'd be surprised if all of those were related to the ongoing ransomware concerns."
JetBrains says in the release notes: "We do not share the details of security-related issues to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity."
The vendor has pointed users to its published security bulletins page to learn about disclosed vulnerabilities, but these typically don't appear for at least a few days after the new version is released.
Also included in the security section of the release notes was a nod to a new feature for on-prem TeamCity users that arrived in 2024.03, which sees critical security updates semi-automatically downloaded.
The cloud version of TeamCity already benefitted from automatic security updates, but this is the first time on-prem users have been afforded the same luxury.
"To keep you ahead of the curve in preventing and mitigating security issues, TeamCity 2024.03 now automatically downloads critical security updates," it says in the document. "This approach helps to keep your system fortified against emerging risks and to swiftly tackle major vulnerabilities."
It's being called a semi-automatic upgrade feature because once downloaded, the system administrator still needs to approve the update's installation.
Protect those pipelines
Given TeamCity is tasked with managing CI/CD pipelines, it makes the tool a prime target for miscreants looking to launch a software supply chain attack.
- JetBrains is still mad at Rapid7 for the ransomware attacks on its customers
- JetBrains TeamCity under attack by ransomware thugs after disclosure mess
- Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'
- JetBrains urges swift patching of latest critical TeamCity flaw
History has told us that these can be pretty nasty and lead to the compromise of swathes of organizations, as in the case of SolarWinds.
TeamCity has been the subject of various attacks in recent times, including by criminals using Jasmin, a modded version of the educational GoodWill ransomware variant as early as this month.
Back in December, both Russian and North Korean state-sponsored cyberattackers were also caught exploiting a critical vulnerability in TeamCity for three months. Multiple security agencies said in an advisory that successful exploits could lead to manipulating source code, signing certificates, and compiling and deploying processes.
Broader attacks on software supply chains are discovered fairly often given the level of access and potential for disruption they offer.
The UK and Republic of Korea issued an alert late last year warning of an increase in sophistication from North Korea's state-sponsored cyber troops in carrying out their software supply chain attacks. They noted that zero days and N-day vulnerabilities were being used increasingly to further the country's typical goals of money generation, espionage, and IP theft.
Major incidents like those involving MOVEit MFT and 3CX have also dominated headlines over the past year. Cl0p's orchestration of the MOVEit attacks led to more than 2,700 organizations being breached, whereas 3CX's incident is believed to be the first recorded case of one software supply chain attack leading to another.
Just this week we've seen an estimated 170,000 members of the Top.gg GitHub page affected by a poisoned Python package, and the rise of AI could also lead to an expansion in these types of attacks if the industry isn't careful. ®
Updated to add on April 5:
Yaroslav Russkih, head of security at JetBrains, said in a statement it wanted to clarify that "TeamCity.2024.03" itself didn't have "26 security problems." He added that: "Most of these refer to issues discovered in upstream libraries. The standard practice in such cases is updating them immediately to avoid security risks. This is almost a daily occurrence for any tech product. "This is why we file them under 'Security problem' internally, even if they're not relevant or exploitable in TeamCity. "As a CVE Numbering Authority (CNA), we provide details on actual vulnerabilities which had potential practical impact on our external users, as we did for this release as well." (JetBrains' emphasis)