UPDATE: In a statement to TechRadar Pro, Yaroslav Russkih, Head of Security at JetBrains, noted there were no “26 security problems”, as we had initially reported.
"Most of these refer to issues discovered in upstream libraries. The standard practice in such cases is updating them immediately to avoid security risks. This is almost a daily occurence for any tech product," he added."
This is why we file them under “Security problem” internally, even if they’re not relevant or exploitable in TeamCity."
JetBrains, the company behind the TeamCity CI/CD web application, recently released a patch for the product, addressing no less than 26 issues.
However, the company was apparently reluctant to reveal any specific details about the changes, raising eyebrows among the cybersecurity community.
In the release notes, published on March 27, the only thing the team said was “26 security problems have been fixed.”
Disclosure drama
Usually, when a company addresses security issues, they share CVE tracking numbers for the vulnerabilities. These numbers describe the problem in a few short sentences, and tell the IT teams how severe the issue is. That helps them decide if they should rush with the implementation of the patch and whether or not their premises are in imminent danger.
This time around, not even CVEs had been listed, which surprised the wider cybersecurity community. In its writeup, The Register speculates that this was JetBrains’ response to the recent “disclosure drama involving Rapid7”.
For those unfamiliar with the “disclosure drama”, JetBrains recently patched a pair of flaws in complete silence, later saying that it was giving admins a head start against hackers looking to exploit the vulnerabilities. Rapid7, on the other hand, didn’t believe the company, and published a how-to guide on exploiting the flaws, mere hours after the patch was pushed. Consequently, some systems were breached.
Other researchers believe this could have something to do with the recent security incidents at TeamCity. In early March 2024, the company released a patch for two high-severity flaws plaguing its product. Soon after, CISA added it to its KEV list, signaling in-the-wild abuse. There is a slight chance that this patch, at least partially, addresses the aftermath of the two high-severity vulnerabilities, forcing the team to remain tight-lipped until the majority of customers patched up.
Posting a thread on Infosec Exchange, a user named “Not Simon” found that the JetBrains Security Bulletin only shows 7 vulnerabilities out of the 26. The list can be found here.
More from TechRadar Pro
- CISA warns on JetBrains TeamCity flaw that could allow hackers to generate admin accounts
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
