Information
Safety
❗️ Essential replace: On account of a technical error, the bug-fix releases 2022.04.6, 2022.10.5, and 2023.05.5 don’t embrace all said safety fixes, so we advise suspending the improve to those variations till we publish new builds. We are going to replace this weblog publish and ship further notifications as soon as this has been accomplished.
Abstract
- Earlier this 12 months, a number of essential vulnerabilities had been found in TeamCity. All variations of TeamCity On-Premises via 2023.11.3 had been affected by these vulnerabilities. TeamCity Cloud was not affected.
- We supplied our prospects two choices to mitigate the vulnerabilities – upgrading to a bug-fix launch or putting in a safety patch plugin.
- We now have since found that the safety patch plugin doesn’t present an optimum long-term manner of defending a TeamCity server from these vulnerabilities. In particular edge circumstances, it would nonetheless be doable to bypass the plugin.
- In our spirit of taking an moral method to vulnerability disclosure, we’ve filed CVE-2024-36470, sharing simply sufficient data to tell our prospects with out offering full technical particulars. This minimizes the chance of exploitation. We will likely be including extra particular particulars on the problem throughout the subsequent 60 days.
- We’re releasing bug-fix releases for a number of older variations of TeamCity, together with non-supported variations (2022.04 via 2023.11) with the aforementioned safety fixes built-in.
- We’re additionally enabling prospects with a lot older, out-of-maintenance licenses to put in a model of TeamCity with these safety fixes inbuilt (model 2022.04.6). Any older TeamCity license will routinely be appropriate with this model.
❗️ Essential replace: We now have recognized a problem within the 2022.04.6 bug-fix launch that stops older licenses from routinely being appropriate with this model. We advise in opposition to upgrading to this model for the second, till we publish an up to date bug-fix launch. In case you’ve already upgraded to 2022.04.6 and your licenses present as incompatible, please request a short lived Enterprise analysis license from right here. This can give you limitless construct configurations and limitless brokers till the brand new model is launched.
- Lastly, we’re taking this chance to backport plenty of fixes for beforehand disclosed safety points into these new bug-fix releases, enabling all prospects to profit from further safety fixes.
Particulars
Earlier this 12 months, a number of essential vulnerabilities had been found in TeamCity. If abused, the issues may need enabled an unauthenticated attacker with HTTP(S) entry to a TeamCity server to bypass the authentication checks and acquire administrative management of the TeamCity server.
All variations of TeamCity On-Premises via 2023.11.3 had been affected by these vulnerabilities. Clients of TeamCity Cloud had their servers patched immediately and weren’t affected.
To mitigate the dangers launched by these vulnerabilities, we supplied our prospects two choices. The primary possibility was updating their servers to the newest model, which included patches for the found vulnerabilities.
For patrons who had been unable to replace their server, we supplied a second possibility – making use of a safety patch plugin. Nevertheless, we’ve since found the safety patch plugin doesn’t present an optimum long-term manner of defending a TeamCity server from these vulnerabilities. In particular edge circumstances, it would nonetheless be doable to bypass the plugin.
In our spirit of taking an moral method to vulnerability disclosure, we’ve filed CVE-2024-36470, sharing simply sufficient data to tell our prospects, with out offering full technical particulars. This minimizes the chance of exploitation. We will likely be including extra particular particulars on the problem throughout the subsequent 60 days.
Our prospects’ security is our utmost precedence. With a purpose to defend our prospects from any potential safety threats, we’ve rolled out main bug-fix releases for a number of older variations of TeamCity (variations 2022.04 via 2023.11). These new releases embrace fixes for the aforementioned safety vulnerabilities, negating the requirement to make use of a safety patch plugin.
We now have additionally taken this chance to backport plenty of fixes for beforehand disclosed safety points into these new bug-fix releases, enabling all prospects to profit from further safety fixes.
All TeamCity prospects are, subsequently, capable of improve to a set model:
- Clients with variations 2021.2 and older can improve their servers to model 2022.04.6 freed from cost. Any older Enterprise Server and Construct Agent licenses which are out of upkeep will routinely be appropriate with model 2022.04.6. See the FAQ for extra particulars.
❗️ Essential replace: We now have recognized a problem within the 2022.04.6 bug-fix launch that stops older licenses from routinely being appropriate with this model. We advise in opposition to upgrading to this model for the second, till we publish an up to date bug-fix launch. In case you’ve already upgraded to 2022.04.6 and your licenses present as incompatible, please request a short lived Enterprise analysis license from right here. This can give you limitless construct configurations and limitless brokers till the brand new model is launched.
- Clients utilizing 2022.04 or a newer model can improve to the respective bug-fix launch inside their main model (2022.04.6, 2022.10.5, 2023.05.5, 2023.11.5).
To replace, go to https://www.jetbrains.com/teamcity/obtain/different.html and obtain considered one of these bug-fix releases. Alternatively, you’ll be able to carry out an computerized replace by way of Administration | Updates instantly in TeamCity.
Please check with the discharge notes related to your model of TeamCity for extra particulars:
The vulnerabilities didn’t have an effect on model 2024.03, so right this moment we’re releasing 2024.03.2 as a daily bug-fix replace.
We strongly suggest that every one TeamCity On-Premises prospects improve their servers to the newest obtainable model. You probably have any questions relating to this announcement or encounter issues upgrading, please get in contact with the TeamCity Assist staff by submitting a ticket.
Often requested questions
I’m at present working an affected model of TeamCity however have the safety patch plugin put in. Ought to I improve my server to one of many newly launched variations?
Sure, we strongly suggest upgrading to one of many new bug-fix variations listed above, even if in case you have the safety patch plugin put in. Fixes for the aforementioned safety points at the moment are constructed into the product, together with a number of much less extreme safety fixes for beforehand disclosed vulnerabilities being backported to every of those new bug-fix releases. The safety patch plugin might be uninstalled from the server after it has been up to date to considered one of these new bug-fix releases.
I’m utilizing TeamCity Enterprise 2017.2, and my paid licenses lapsed on their upkeep in 2018. Can I improve to 2022.04.6 freed from cost?
Sure, we’ve particularly made the brand new 2022.04.6 bug-fix launch appropriate with all outdated license keys (even when you nonetheless use TeamCity 7.0, launched again in 2012). It is very important word that solely the 2022.04.6 launch has been made appropriate with all older license keys.
This can allow all prospects to profit from a safer model of TeamCity, no matter whether or not their licenses are underneath lively upkeep.
❗️ Essential replace: We now have recognized a problem within the 2022.04.6 bug-fix launch that stops older licenses from routinely being appropriate with this model. We advise in opposition to upgrading to this model for the second, till we publish an up to date bug-fix launch. In case you’ve already upgraded to 2022.04.6 and your licenses present as incompatible, please request a short lived Enterprise analysis license from right here. This can give you limitless construct configurations and limitless brokers till the brand new model is launched.
I’m utilizing TeamCity Enterprise 2023.05.4, and my licenses have since lapsed on their upkeep. Can I improve to the 2023.05.5 bug-fix launch for no cost?
Sure, all bug-fix releases inside a serious model quantity (e.g. 2023.05) are appropriate with the license keys for that model, which means you’ll be able to set up the minor replace for no cost. For instance, license keys appropriate with 2023.05 are legitimate for all minor variations inside 2023.05.x.
I’m utilizing the free TeamCity Skilled license on model 2018.x and likewise bought some further construct agent licenses in 2018. These further agent licenses have been out of upkeep since 2019. Can I improve to 2022.04.6 and nonetheless use my further construct agent licenses with that model?
Sure, any outdated construct agent license keys will routinely be legitimate to be used with the brand new 2022.04.6 bug-fix launch.
Ought to I manually take away the safety patch plugin from the server after updating it to one of many new bug-fix releases?
Sure, the safety patch plugin is now not required after you improve to one of many new bug-fix releases (2022.04.6, 2022.10.5, 2023.05.5, or 2023.11.5) and will likely be ignored on server start-up. It may be safely eliminated after upgrading to considered one of these variations.
I’ve been utilizing a susceptible model of TeamCity. How can I test my server hasn’t already been compromised?
Please try our information on investigating a compromised TeamCity on-premises server and its construct surroundings.
Subscribe to TeamCity Weblog updates
