Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'

Updated Security shop Rapid7 is criticizing JetBrains for flouting its policy against silent patching regarding fixes for two fresh vulnerabilities in the TeamCity CI/CD server.

Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains soon after suggested releasing patches for the flaws before publicly disclosing them.

Such a move is typically seen as a no-no by the infosec community, which favors transparency, but there's apparently a time and a place for these things.

According to the cybersecurity company, it replied by saying it wouldn't agree to swift disclosure, and pointed JetBrains to its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours.

Rapid7 claims that after more than a week of radio silence from JetBrains on the coordinated disclosure matter, Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.

Following what sounds like a sternly worded email from Rapid7, JetBrains released a blog detailing the vulnerabilities, but the security researchers say it continued to ignore inquiries about why it violated coordinated vulnerability disclosure norms.

The details can all be found at the bottom of Rapid7's security advisory.

A glass-half-full onlooker may consider JetBrains' behavior and consider how silently patching the vulnerabilities could have been positive. It's well-known that alerting attackers to vulnerabilities before organizations can apply patches often leads to exploits at a scale that leaves a trail of victims behind. 

JetBrains may just have wanted to avoid this scenario, but as it says in its own security advisory, it was well aware that Rapid7 would publish within 24 hours, so this optimism doesn't hold up much to scrutiny.

Further, according to internet monitoring biz Shadowserver, exploits of the vulnerabilities are already well underway, starting at 2200 UTC the same day the vulnerabilities were disclosed.

Glass-half-empty types will think JetBrains sought to avoid negative press, especially given the other recent TeamCity issues, or that it was just being generally ignorant of the disclosure norms.

We sent some questions about this over to JetBrains but they didn't immediately respond.

• QNAP vulnerability disclosure ends up an utter shambles
• Atlassian cranks up the threat meter to max for Confluence authorization flaw
• Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims
• 'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in

While JetBrains prepares to tell its side of the story – see the update below – members of the infosec community have shamed the TeamCity vendor over the supposed uncoordinated disclosure with Rapid7.

"The Rapid7 blog on JetBrains TeamCity is savage – especially the disclosure timeline," said security researcher Ron Bowes on Mastodon. 

"I know from previously working on that team that we tried hard to be friendly and cooperative with vendors. The fact that Rapid7 calls them out on their behavior means it must have been bad."

Inside the TeamCity vulnerabilities

JetBrains said the two vulnerabilities, both discovered by Stephen Frewer, are "critical," although the National Vulnerability Database (NVD) has only assigned one with critical status.

• CVE-2024-27198: An authentication bypass flaw enabled by an alternative path issue. It's located in the web component of TeamCity and has a critical CVSS rating of 9.8.

• CVE-2024-27199: An authentication bypass flaw enabled by a path traversal issue. It's also located in the web component of TeamCity and has a high CVSS rating of 7.3.

It's worth noting that CVE-2024-27198 attracts a higher severity score because it could allow attackers to take full administrative control of a TeamCity server and achieve unauthenticated remote code execution.

Rapid7 says CVE-2024-27199 only allows for a "limited amount" of information disclosure and system modification. This includes an unauthenticated attacker being able to replace a server's HTTPS certificate with their own, thus opening up the possibility of man-in-the-middle (MITM) attacks.

Severity score aside, CVE-2024-27198 will certainly be the main cause of concern for CI/CD server admins given the potential for supply chain attacks to take hold.

JetBrains says these only affect the on-prem version of TeamCity. Cloud versions are already patched and weren't attacked prior to disclosure.

All on-prem versions through to 2023.11.3 are impacted by the flaws, JetBrains says. So the best route to protection is to either upgrade to version 2023.11.4 or install its security patch plugin. ®

Updated to add at 1619 UTC

"The most important part is the following," said a JetBrains spokesperson, referencing a blog post discussing its side of events.

"We never had any intention to release a fix silently without making the full details public. As a CVE Numbering Authority (CNA), we assigned CVE IDs for both issues a day after receiving the report.

"We suggested disclosing the details of the vulnerabilities in the same way we have followed in the past (with a time delay between releasing a fix and making a full disclosure), which allows our customers to upgrade their TeamCity instances.

"This suggestion was rejected by the Rapid7 team who published full details of the vulnerabilities (and how to exploit them) a few hours after we had released a fix to TeamCity customers."