Critical TeamCity Bugs Endanger Software Supply Chain

Critical vulnerabilities have been uncovered in the on-premises deployments of JetBrains TeamCity, a widely used Continuous Integration/Continuous Deployment (CI/CD) pipeline tool. These vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, pose significant risks as they could enable threat actors to gain administrative control over TeamCity servers. While the cloud versions of TeamCity have already been updated to address these vulnerabilities, organizations with on-premises deployments are urged to apply patches immediately.

The TeamCity tool plays a pivotal role in managing the software development lifecycle (SDLC) by facilitating the building, testing, and deployment of code. Given its widespread adoption, with over 30,000 organizations relying on it. The vulnerabilities were initially discovered and reported by Rapid7 in February, prompting TeamCity to issue a security advisory. Rapid7 plans to release detailed technical information soon, underscoring the urgency for organizations running on-premises versions of TeamCity up to 2023.11.3 to prioritize patching to thwart potential attacks.

Security Officer Comments:
Notably, the vulnerabilities in JetBrains TeamCity parallel concerns raised in late 2023 regarding a similar vulnerability exploited by the Russian state-backed group APT29 (also known as Nobelium or Cozy Bear) in the JetBrains TeamCity platform. This underscores the persistent threat posed by advanced persistent threat (APT) groups targeting CI/CD environments.

Suggested Corrections:
In response to these vulnerabilities TeamCity has released an updated version 2023.11.4 and provided a security patch plugin for organizations unable to upgrade immediately.

Suggested Corrections option 1: Update your server To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. This version includes patches for the vulnerabilities described above.

Suggested Corrections option 2: Apply the security patch plugin If you are unable to update your server to version 2023.11.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on all TeamCity versions through 2023.11.3. It will patch the vulnerabilities described above.
The security patch plugin will only patch the vulnerabilities described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.