Cloud versions of software development platform manager JetBrains TeamCity have already been updated against a new pair of critical vulnerabilities, but on-premises deployments need immediate patching, a security advisory from the vendor warned this week.
This is the second round Critical TeamCity vulnerabilities in the last two months. The consequences could be far-reaching: The company’s Software Development Lifecycle (SDLC) platform is used by 30,000 organizations, including Citibank, Nike and Ferrari.
The TeamCity tool manages the software development CI/CD pipeline, which is the process by which code is built, tested, and deployed. The new vulnerabilities, tracked under CVE-2024-27198 and CVE-2024-27199, could allow threat actors to bypass authentication and gain administrative control of the victim’s TeamCity server, according to a post on the TeamCity blog.
The flaws were identified and reported by Rapid7 in February, the company added. The Rapid7 team is set to release full technical details shortly, making it imperative for teams running local versions of TeamCity up to 2023.11.3 to update their systems before threat actors seize the opportunity, informed the society.
In addition to releasing an updated version of TeamCity, 2023-11.4, the vendor has offered a security patch plugin for teams that are unable to update quickly.
The CI/CD environment is critical to the software supply chain, making it an attractive attack vector for sophisticated Advanced Persistent Threat (APT) groups.
JetBrains TeamCity bug endangers software supply chain
In late 2023, governments around the world have raised the alarm that the Russian group APT29 (also known as Nobelium, Midnight Blizzard and Cozy Bear), the menacing group behind the 2020 crisis, SolarWinds attack) was actively exploiting a similar method vulnerability in JetBrains TeamCity this could also enable cyberattacks on the software supply chain.
“The ability of an unauthenticated attacker to bypass authentication controls and gain administrative control poses a significant risk not only to the surrounding environment but also to the integrity and security of software developed and distributed through such CI/ Compromised CDs,” Ryan Smith, product manager for Deepfence, said in a statement.
Smith added that the data shows a “noticeable increase” in both the volume and complexity of cyberattacks on the software supply chain overall.
“The recent JetBrains incident serves as a stark reminder of the importance of timely vulnerability management and proactive threat detection strategies,” Smith said. “By fostering a culture of agility and resilience, organizations can improve their ability to counter emerging threats and effectively safeguard their digital assets.”