April 18, 2024

Cloud variations of the JetBrains TeamCity software program growth platform supervisor have already been up to date towards a brand new pair of vital vulnerabilities, however on-premises deployments want instant patching, a safety advisory from the seller warned this week.

That is the second spherical of vital TeamCity vulnerabilities previously two months. The ramifications may very well be extensive: The corporate’s software program growth lifecycle (SDLC) platform is used throughout 30,000 organizations, together with Citibank, Nike, and Ferrari.

The TeamCity device manages the software program growth CI/CD pipeline, which is the method by which code is constructed, examined, and deployed. The brand new vulnerabilities, tracked underneath CVE-2024-27198 and CVE-2024-27199, might permit menace actors to bypass authentication and achieve admin management of the sufferer’s TeamCity server, in keeping with a blog post from TeamCity.

The failings had been discovered and reported by Rapid7 in February, the corporate added. The Rapid7 crew is poised to launch full technical particulars imminently, making it crucial for groups working TeamCity on-premises variations by means of 2023.11.3 to get their methods patched earlier than menace actors catch onto the chance, the corporate suggested.

Along with releasing an up to date TeamCity model, 2023-11.4, the seller provided a safety patch plugin for groups unable to improve rapidly.

The CI/CD surroundings is key to the software program provide chain, making it a beautiful assault vector for classy superior persistent menace (APT) teams.

JetBrains TeamCity Bug Endangers Software program Provide Chain

In late 2023, governments worldwide raised the alarm that the Russian state-backed group APT29 (aka Nobelium, Midnight Blizzard, and Cozy Bear — the menace actor behind the 2020 SolarWinds assault) was actively exploiting the same vulnerability in JetBrains TeamCity that might likewise permit software program provide chain cyberattacks.

“The power of an unauthenticated attacker to bypass authentication checks and achieve administrative management poses a major danger not solely to the instant surroundings but additionally to the integrity and safety of the software program being developed and deployed by means of such compromised CI/CD pipelines,” Ryan Smith, head of product for Deepfence, mentioned in an announcement.

Smith added the info reveals a “notable uptick” in each the amount and the complexity of software program provide chain cyberattacks typically.

“The current JetBrains incident serves as a stark reminder of the criticality of immediate vulnerability administration and proactive menace detection methods,” Smith mentioned. “By fostering a tradition of agility and resilience, organizations can improve their skill to thwart rising threats and safeguard their digital belongings successfully.”