Cloud variations of the JetBrains TeamCity software program growth platform supervisor have already been up to date towards a brand new pair of vital vulnerabilities, however on-premises deployments want instant patching, a safety advisory from the seller warned this week.
That is the second spherical of vital TeamCity vulnerabilities previously two months. The ramifications might be broad: The corporate’s software program growth lifecycle (SDLC) platform is used throughout 30,000 organizations, together with Citibank, Nike, and Ferrari.
The TeamCity device manages the software program growth CI/CD pipeline, which is the method by which code is constructed, examined, and deployed. The brand new vulnerabilities, tracked below CVE-2024-27198 and CVE-2024-27199, may enable risk actors to bypass authentication and acquire admin management of the sufferer’s TeamCity server, in line with a weblog submit from TeamCity.
The issues have been discovered and reported by Rapid7 in February, the corporate added. The Rapid7 workforce is poised to launch full technical particulars imminently, making it crucial for groups working TeamCity on-premises variations by means of 2023.11.3 to get their methods patched earlier than risk actors catch onto the chance, the corporate suggested.
Along with releasing an up to date TeamCity model, 2023-11.4, the seller supplied a safety patch plugin for groups unable to improve shortly.
The CI/CD surroundings is prime to the software program provide chain, making it a horny assault vector for classy superior persistent risk (APT) teams.
JetBrains TeamCity Bug Endangers Software program Provide Chain
In late 2023, governments worldwide raised the alarm that the Russian state-backed group APT29 (aka Nobelium, Midnight Blizzard, and Cozy Bear — the risk actor behind the 2020 SolarWinds assault) was actively exploiting an analogous vulnerability in JetBrains TeamCity that might likewise enable software program provide chain cyberattacks.
“The flexibility of an unauthenticated attacker to bypass authentication checks and acquire administrative management poses a major danger not solely to the instant surroundings but in addition to the integrity and safety of the software program being developed and deployed by means of such compromised CI/CD pipelines,” Ryan Smith, head of product for Deepfence, mentioned in an announcement.
Smith added the information reveals a “notable uptick” in each the quantity and the complexity of software program provide chain cyberattacks normally.
“The latest JetBrains incident serves as a stark reminder of the criticality of immediate vulnerability administration and proactive risk detection methods,” Smith mentioned. “By fostering a tradition of agility and resilience, organizations can improve their means to thwart rising threats and safeguard their digital property successfully.”