March 29, 2024 at 07:18AM
JetBrains released TeamCity 2024.03, addressing 26 security issues and introducing semi-automatic security updates. They emphasized not sharing vulnerability details to protect clients using older versions. The update patches seven CVEs, including a high-severity flaw enabling bypass of two-factor authentication. JetBrains’ cautious approach follows a recent incident of a critical flaw being exploited.
From the meeting notes, it is clear that JetBrains has released TeamCity 2024.03, which patches 26 security issues, including seven CVEs, a high-severity flaw, and several medium-severity vulnerabilities. Furthermore, the company introduced semi-automatic security updates with an aim to swiftly tackle major vulnerabilities. However, there was a botched disclosure incident involving CVE-2024-27198, leading to exploitation in the wild shortly after it was patched. Rapid7 and JetBrains faced miscommunication regarding the disclosure of this critical flaw, leading to the compromise of hundreds of vulnerable TeamCity instances, including as part of ransomware attacks. Additionally, Russian cyberspies were found exploiting the TeamCity vulnerability at scale, including government agencies being affected. This indicates the severity and urgency of addressing security issues and maintaining clear communication and coordination among relevant parties.