TeamCity Patches 26 Vulnerabilities, Keeps Details Secret
In a recent software update for Continuous Integration and Delivery (CI/CD) TeamCity by JetBrains, 26 security issues were addressed. Yet, the company chose not to disclose any details about the identified vulnerabilities, sparking heated discussions within the professional community.
The version 2024.03 update of TeamCity is designed to protect users from potential threats, but the complete absence of details regarding the 26 vulnerabilities has genuinely surprised security experts. This lack of transparency from the company, particularly after an incident involving experts from Rapid7 who criticized JetBrains for insufficient openness, has been a subject of special criticism.
JetBrains asserts that withholding details is solely to protect customers using previous versions of TeamCity, although this is not a widely accepted practice in the industry.
Nevertheless, the company’s intentions can be understood. TeamCity remains an attractive target for malefactors looking to attack the software supply chain. History has shown that such attacks can have grave consequences, as seen in the case of SolarWinds.
According to Elliott Wilks, the Chief Technology Officer of Advanced Cyber Defence Systems (ACDS), JetBrains’ opaqueness may be related to recent ransomware attacks, prompting the company to take extra precautions.
Furthermore, the new version of TeamCity introduced a feature for semi-automatic downloading of critical security updates for on-premises software users. Previously, this feature was available only for cloud installations, and this move certainly demonstrates JetBrains’ desire to enhance the security of its systems as much as possible.
Modern threats demand constant vigilance and readiness to respond to security incidents from organizations, especially in the context of the increasing complexity of attacks on software supply chains.
JetBrains’ transparency policy certainly does not meet the generally accepted standards and norms. However, this approach also bears fruit and can positively impact the security of its clients.