May 30, 2024 update:
Summary
- Earlier this year, several critical vulnerabilities were discovered in TeamCity. All versions of TeamCity On-Premises through 2023.11.3 were affected by these vulnerabilities. TeamCity Cloud was not affected.
- We offered our customers two options to mitigate the vulnerabilities – upgrading to a bug-fix release or installing a security patch plugin.
- We have since discovered that the security patch plugin doesn’t provide an optimal long-term way of protecting a TeamCity server from these vulnerabilities. In specific edge cases, it might still be possible to bypass the plugin.
- In our spirit of taking an ethical approach to vulnerability disclosure, we have filed CVE-2024-36470, sharing just enough information to inform our customers without providing full technical details. This minimizes the risk of exploitation. We will be adding more specific details on the issue within the next 60 days.
- We are releasing bug-fix releases for several older versions of TeamCity, including non-supported versions (2022.04 through 2023.11) with the aforementioned security fixes built-in.
- We are also enabling customers with much older, out-of-maintenance licenses to install a version of TeamCity with these security fixes built in (version 2022.04.6). Any older TeamCity license will automatically be compatible with this version.
- Lastly, we are taking this opportunity to backport a number of fixes for previously disclosed security issues into these new bug-fix releases, enabling all customers to benefit from additional security fixes.
Details
Earlier this year, several critical vulnerabilities were discovered in TeamCity. If abused, the flaws might have enabled an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server.
All versions of TeamCity On-Premises through 2023.11.3 were affected by these vulnerabilities. Customers of TeamCity Cloud had their servers patched right away and weren’t affected.
To mitigate the risks introduced by these vulnerabilities, we offered our customers two options. The first option was updating their servers to the latest version, which included patches for the discovered vulnerabilities.
For customers who were unable to update their server, we offered a second option – applying a security patch plugin. However, we have since discovered the security patch plugin doesn’t provide an optimal long-term way of protecting a TeamCity server from these vulnerabilities. In specific edge cases, it might still be possible to bypass the plugin.
In our spirit of taking an ethical approach to vulnerability disclosure, we have filed CVE-2024-36470, sharing just enough information to inform our customers, without providing full technical details. This minimizes the risk of exploitation. We will be adding more specific details on the issue within the next 60 days.
Our customers’ safety is our utmost priority. In order to protect our customers from any potential security threats, we’ve rolled out major bug-fix releases for several older versions of TeamCity (versions 2022.04 through 2023.11). These new releases include fixes for the aforementioned security vulnerabilities, negating the requirement to use a security patch plugin.
We have also taken this opportunity to backport a number of fixes for previously disclosed security issues into these new bug-fix releases, enabling all customers to benefit from additional security fixes.
All TeamCity customers are, therefore, able to upgrade to a fixed version:
- Customers with versions 2021.2 and older can upgrade their servers to version 2022.04.6 free of charge. Any older Enterprise Server and Build Agent licenses that are out of maintenance will automatically be compatible with version 2022.04.6. See the FAQ for more details.
- Customers using 2022.04 or a more recent version can upgrade to the respective bug-fix release within their major version (2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5).
To update, go to https://www.jetbrains.com/teamcity/download/other.html and download one of these bug-fix releases. Alternatively, you can perform an automatic update via Administration | Updates directly in TeamCity.
Please refer to the release notes relevant to your version of TeamCity for more details:
The vulnerabilities did not affect version 2024.03, so today we are releasing 2024.03.2 as a regular bug-fix update.
We strongly recommend that all TeamCity On-Premises customers upgrade their servers to the latest available version. If you have any questions regarding this announcement or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.
Frequently asked questions
I’m currently running an affected version of TeamCity but have the security patch plugin installed. Should I upgrade my server to one of the newly released versions?
Yes, we strongly recommend upgrading to one of the new bug-fix versions listed above, even if you have the security patch plugin installed. Fixes for the aforementioned security issues are now built into the product, along with a selection of less severe security fixes for previously disclosed vulnerabilities being backported to each of these new bug-fix releases. The security patch plugin can be uninstalled from the server after it has been updated to one of these new bug-fix releases.
I am using TeamCity Enterprise 2017.2, and my paid licenses lapsed on their maintenance in 2018. Can I upgrade to 2022.04.7 free of charge?
Yes, we have specifically made the new 2022.04.7 bug-fix release compatible with all old license keys (even if you still use TeamCity 7.0, released back in 2012). It is important to note that only the 2022.04.7 release has been made compatible with all older license keys.
This will enable all customers to benefit from a more secure version of TeamCity, regardless of whether their licenses are under active maintenance.
I am using TeamCity Enterprise 2023.05.4, and my licenses have since lapsed on their maintenance. Can I upgrade to the 2023.05.6 bug-fix release for no charge?
Yes, all bug-fix releases within a major version number (e.g. 2023.05) are compatible with the license keys for that version, meaning you can install the minor update for no charge. For example, license keys compatible with 2023.05 are valid for all minor versions within 2023.05.x.
I am using the free TeamCity Professional license on version 2018.x and also purchased some additional build agent licenses in 2018. Those additional agent licenses have been out of maintenance since 2019. Can I upgrade to 2022.04.7 and still use my additional build agent licenses with that version?
Yes, any old build agent license keys will automatically be valid for use with the new 2022.04.7 bug-fix release.
Should I manually remove the security patch plugin from the server after updating it to one of the new bug-fix releases?
Yes, the security patch plugin is no longer required after you upgrade to one of the new bug-fix releases (2022.04.7, 2022.10.6, 2023.05.6, or 2023.11.5) and will be ignored on server start-up. It can be safely removed after upgrading to one of these versions.
I have been using a vulnerable version of TeamCity. How can I check my server hasn’t already been compromised?
Please check out our guide on investigating a compromised TeamCity on-premises server and its build environment.