March 5, 2024 update: Please also see this follow-up blog post that describes our insights and timeline for addressing these vulnerabilities.
Summary
- Two additional critical security vulnerabilities have been identified in TeamCity On-Premises.
- The vulnerabilities were discovered in February 2024 by Rapid7, who reported them to us via our coordinated disclosure policy.
- These critical security vulnerabilities have been assigned the CVE identifiers CVE-2024-27198 and CVE-2024-27199, and present the weaknesses CWE-288 and CWE-23.
- The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
- The vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3.
- They have been fixed in version 2023.11.4.
- We encourage all users to update their servers to the latest version.
- For those who are unable to do so, we have released a security patch plugin (details below).
- Rapid7 (the reporter of the vulnerabilities) is strictly adhering to its vulnerability disclosure policy, which means their team will publish the full technical details of these vulnerabilities within 24 hours of this announcement. It is, therefore, imperative you upgrade or patch your server immediately.
- TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked.
Details
Two new critical security vulnerabilities have been discovered in TeamCity On-Premises. If abused, the flaws may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server.
All versions of TeamCity On-Premises are affected by these vulnerabilities. Customers of TeamCity Cloud have already had their servers patched, and we have verified that they weren’t attacked.
These vulnerabilities were discovered in February 2024 by Rapid7, who reported the vulnerabilities to us privately via our coordinated disclosure policy.
These two critical security vulnerabilities have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2024-27198 and CVE-2024-27199, and present the weaknesses CWE-288 and CWE-23.
Fixes for these vulnerabilities have been introduced in version 2023.11.4. We have also released a security patch plugin so that customers who are unable to upgrade to this version can still patch their environment.
Rapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy. This means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice.
JetBrains’ policy typically involves withholding technical details of vulnerabilities for a longer period of time after a release to ensure thorough mitigation; however, this accelerated timeline necessitates an immediate server upgrade or patching to prevent exploitation.
If your server is publicly accessible over the internet, and you are unable to immediately perform one of the mitigation steps described below, we strongly recommend making your server inaccessible until mitigation actions have been completed.
Mitigation option 1: Update your server
To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. This version includes patches for the vulnerabilities described above.
Mitigation option 2: Apply the security patch plugin
If you are unable to update your server to version 2023.11.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on all TeamCity versions through 2023.11.3. It will patch the vulnerabilities described above.
Security patch plugin: TeamCity 2018.2 and newer | TeamCity 2018.1 and older
See the TeamCity plugin installation instructions for information on installing the plugin.
The security patch plugin will only patch the vulnerabilities described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.
Security Bulletin
A complete list of recently fixed security issues is available on the Fixed security issues page on the JetBrains website. You can also subscribe to receive email notifications about fixes in all JetBrains products.
Frequently asked questions
Which versions are affected?
All versions through 2023.11.3 are affected by these vulnerabilities. The vulnerabilities have been patched in 2023.11.4. We recommend upgrading or installing the security patch plugin as soon as possible.
Is TeamCity Cloud affected?
TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked.
Is it possible to backport the fix to our version?
We are not considering backports at this point. Please keep in mind that the plugin we have released mitigates this issue and is compatible with all TeamCity versions.
Support
If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.