JetBrains TeamCity: Critical vulnerability CVE-2024-23917 (on-premises)

[German]A small addendum from yesterday regarding security. There is a critical vulnerability in JetBrains TeamCity Server that endangers on-premises servers. There is probably a security update available, which should be installed as soon as possible. I don't know who among the readership uses the package, I didn't know the name. I will summarize the necessary information in this article.

What is JetBrains TeamCity?

TeamCity is a Java-based server for continuous integration. The program from the Russian-Czech manufacturer JetBrains serves as a software distribution system. According to the manufacturer, TeamCity is used for the automated creation and testing of software products. It provides quick feedback on every code change, reduces code integration problems and leads to more effective teamwork. Many popular games, websites, banking systems and all JetBrains products are created with TeamCity. As part of the Solarwinds attack assessment, TeamCity was investigated as a possible attack vector by US security agencies, among others, as it is used by 80% of the top 100 companies in the United States.

Vulnerability in TeamCity

I came across the topic via the following tweet from Ninja Owl. The Hacker News took up the topic in this article, the JetBrains blog post is available here.

The compact version for quick readers: On January 19, 2024, an external security researcher reported a critical vulnerability in TeamCity On-Premises version. The vulnerability CVE-2024-23917 became public on February 6, 2024 and has a CVSS 3.x index of 9.8, making it very critical. Authentication of the user concerned is required to use the product. But there is a way to bypass this authentication.

CVE-2024-23917 can allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control over this TeamCity server. The vulnerability affects all TeamCity on-premises versions from 2017.1 to 2023.11.2. The vendor has fixed the vulnerability in TeamCity version 2023.11.3.

The manufacturer recommends that all users update their on-premises servers to the latest version. To update, the latest version (2023.11.3) can be downloaded or the automatic update in TeamCity can be used. In environments where this is not possible, the provider has released a security patch plugin (details can be found in this blog post). The TeamCity cloud servers have already been patched by the vendor and are not vulnerable.