Breaking news
Updated Security store Rapid7 is criticizing JetBrains for flouting its coverage in opposition to silent patching relating to fixes for two contemporary vulnerabilities in the TeamCity CI/CD server.
Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains rapidly after instructed releasing patches for the flaws before publicly disclosing them.
Such a trail is regularly viewed as a no-no by the infosec community, which favors transparency, nevertheless there’s it sounds as if a time and a neighborhood for these issues.
In holding with the cybersecurity firm, it replied by asserting it might perchance well possibly perchance not agree to swift disclosure, and pointed JetBrains to its coverage in opposition to silently patching vulnerabilities, which stipulates that if companies violate that coverage, Rapid7 will itself free up the fleshy well-known components of the vulnerability, including ample information to enable other folk to fabricate exploits, within 24 hours.
Rapid7 claims that after larger than per week of radio silence from JetBrains on the coordinated disclosure matter, Rapid7 noticed contemporary patches for CVE-2024-27198 and CVE-2024-27199 on Monday, with out a broadcast security advisory and with out telling the researchers.
Following what sounds admire a sternly worded email from Rapid7, JetBrains released a blog detailing the vulnerabilities, nevertheless the security researchers negate it persisted to omit inquiries about why it violated coordinated vulnerability disclosure norms.
The well-known components can all be learned at the bottom of Rapid7’s security advisory.
A glass-half of-fleshy onlooker might perchance possibly perchance merely clutch into story JetBrains’ habits and clutch into story how silently patching the vulnerabilities might perchance possibly rep been obvious. It’s well-identified that alerting attackers to vulnerabilities before organizations can apply patches in most cases ends in exploits at a scale that leaves a dart of victims at the again of.
JetBrains might perchance possibly perchance merely upright rep desired to handbook positive of this scenario, nevertheless as it says in its gain security advisory, it became well acutely aware that Rapid7 would submit within 24 hours, so this optimism would not preserve up phenomenal to scrutiny.
Further, in accordance with internet monitoring biz Shadowserver, exploits of the vulnerabilities are already well underway, beginning at 2200 UTC the same day the vulnerabilities had been disclosed.
Glass-half of-empty sorts will contemplate JetBrains sought to handbook positive of detrimental press, especially given the other most contemporary TeamCity complications, or that it became upright being in most cases blind to the disclosure norms.
We despatched some questions about this over to JetBrains nevertheless they did not straight away reply.
- QNAP vulnerability disclosure ends up an advise shambles
- Atlassian cranks up the menace meter to max for Confluence authorization flaw
- Extreme Apache ActiveMQ flaw under assault by ‘clumsy’ ransomware crims
- ‘Mass exploitation’ of Citrix Bleed underway as ransomware crews pile in
While JetBrains prepares to picture its aspect of the epic*, participants of the infosec community rep shamed the TeamCity provider over the supposed uncoordinated disclosure with Rapid7.
“The Rapid7 blog on JetBrains TeamCity is savage – especially the disclosure timeline,” mentioned security researcher Ron Bowes on Mastodon.
“I do know from beforehand working on that workforce that we tried fascinating to be pleasant and cooperative with distributors. The fact that Rapid7 calls them out on their habits formulation it will deserve to rep been imperfect.”
Internal the TeamCity vulnerabilities
JetBrains mentioned the two vulnerabilities, both learned by Stephen Frewer, are “serious,” though the National Vulnerability Database (NVD) has entirely assigned one with serious situation.
CVE-2024-27198: An authentication bypass flaw enabled by an different path explain. It’s located in the internet ingredient of TeamCity and has a most necessary CVSS score of 9.8.
CVE-2024-27199: An authentication bypass flaw enabled by a path traversal explain. It’s additionally located in the internet ingredient of TeamCity and has a excessive CVSS score of 7.3.
It’s price noting that CVE-2024-27198 attracts the next severity rep because it might perchance well possibly perchance enable attackers to understand fleshy administrative regulate of a TeamCity server and cease unauthenticated a long way off code execution.
Rapid7 says CVE-2024-27199 entirely enables for a “restricted amount” of information disclosure and design modification. This involves an unauthenticated attacker being in a situation to replace a server’s HTTPS certificates with their gain, thus opening up the possibility of man-in-the-heart (MITM) assaults.
Severity rep aside, CVE-2024-27198 will absolutely be the most necessary reason for concern for CI/CD server admins given the ability for provide chain assaults to understand preserve.
JetBrains says these entirely rep an influence on the on-prem model of TeamCity. Cloud variations are already patched and weren’t attacked earlier than disclosure.
All on-prem variations thru to 2023.11.3 are impacted by the flaws, JetBrains says. So the simplest route to security is to either reinforce to model 2023.11.4 or install its security patch plugin. ®
*Updated to add at 1619 UTC:
“The most well-known portion is the following,” mentioned a JetBrains spokesperson, referencing a blog submit discussing its aspect of events. “We never had any map to free up a repair silently with out making the fleshy well-known components public. As a CVE Numbering Authority (CNA), we assigned CVE IDs for both complications a day after receiving the document. “We instructed disclosing the well-known components of the vulnerabilities in the same formulation now we rep followed in the past (with a time prolong between releasing a repair and making a fleshy disclosure), which enables our clients to reinforce their TeamCity circumstances. “This recommendation became rejected by the Rapid7 workforce who published fleshy well-known components of the vulnerabilities (and simple recommendations to milk them) a number of hours after we had released a repair to TeamCity clients.”