New page with all fixed security issues

To help you answer these questions, we’ve created a page with information about fixed security issues. It contains information about all of the vulnerabilities that we’ve ever resolved, across all JetBrains products and services. Similar to the Security Bulletin, you’ll find the issue description, fix version, CWE (Common Weakness Enumeration) ID, and assigned CVE (if applicable) for each issue. We’ve also added the ability to filter the results, so you can review only the issues relevant to the product you are interested in. 

We plan to add information about fixed security issues to the page when new product versions are released, so you’ll be able to learn about security updates for JetBrains products faster than before.

Emails will be sent monthly

For those who receive the Bulletin via email, the process will remain mostly the same but with just one change: we will create our digest of fixed issues monthly instead of quarterly. If you are already subscribed, no action is needed from your side. If you want to subscribe, please do so here.

JetBrains becomes a CNA

One more thing to report is that JetBrains has been authorized by the CVE Program as a CVE Numbering Authority (CNA). A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerabilities in the associated CVE Records. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.

Once we discover a security issue in a JetBrains product, we always add information about the issue to the CVE List to provide consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.  

As a CNA, JetBrains will be able to:

• Assign CVE IDs for issues discovered in JetBrains products faster.
• Provide the most accurate information for the CVE list (description, impact, and root cause).

If you have any questions about our approach, please feel free to get in touch with us at security@jetbrains.com.

Stay safe,

The JetBrains team

On March 29, 2022, we became aware of the Remote Code Execution vulnerabilities CVE-2022-22963 and CVE-2022-22965 in several libraries of the Spring Framework, which is commonly used in web applications.

Our response

Together with the product teams we ran an audit of JetBrains web applications, including the products: YouTrack, Hub, TeamCity, Space, Datalore, and services: JetBrains Website and JetBrains Account.

None of the applications listed above use vulnerable versions of Spring or they don’t meet known exploitation criteria and are therefore not affected by the discovered security issues. Please refer to the following technical discussions concerning TeamCity, Hub, and YouTrack.

Other JetBrains products, including all IntelliJ Platform IDEs, .NET tools, Toolbox App, Code With Me, JetBrains Gateway, Kotlin, and Ktor are not affected by the issues as they are not web applications using the Spring Framework.

We will continue monitoring any further developments with these vulnerabilities.

We will also continue to test our products and services for security issues resulting from the use of third-party components, and update the versions of any such components as and when appropriate fixes become available. 

Stay safe,

The JetBrains team

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

On December 27, 2021, we became aware of a security issue that exposes certain JetBrains Remote Development backend IDEs to the networks the server is connected to. This was a result of misconfiguration on our side.

The following IDEs were affected:

• IntelliJ IDEA 2021.3.1 Preview (213.6461.21) and IntelliJ IDEA 2021.3.1 RC (213.6461.48)
• PyCharm Professional 2021.3.1 RC (213.6461.6)
• GoLand 2021.3.1 (213.6461.23)
• PhpStorm 2021.3.1 Preview (213.6461.28) and PhpStorm 2021.3.1 RC (213.6461.58)
• RubyMine 2021.3.1 Preview (213.6461.24) and RubyMine 2021.3.1 RC (213.6461.46)
• CLion 2021.3.1 (213.6461.46)
• WebStorm 2021.3.1 Preview (213.6461.19) and WebStorm 2021.3.1 RC (213.6461.38)

Users who initially configured their backend IDEs within the date ranges specified below are most likely affected:

• IntelliJ IDEA: Dec 16–29, 2021
• PyCharm Professional: Dec 15–30, 2021
• GoLand: Dec 20–30, 2021
• PhpStorm: Dec 17–30, 2021
• RubyMine: Dec 16–29, 2021
• CLion: Dec 22–29,2021
• WebStorm: Dec 16–29, 2021

If you configured the backend IDEs before the dates above and you have not updated them, you should be safe. However, we recommend checking your backend IDE version just to make sure.

Actions we’ve taken

We fixed the issue on Dec 27, 2021 and we have released the following updates with the fix:

• IntelliJ IDEA 2021.3.1 (213.6461.79)
• PyCharm Professional 2021.3.1 (213.6461.77)
• GoLand 2021.3.2 (213.6461.81)
• PhpStorm 2021.3.1 (213.6461.83)
• RubyMine 2021.3.1 (213.6461.75)
• CLion 2021.3.2 (213.6461.75)
• WebStorm 2021.3.1 (213.6461.79)

Actions you should take

If you use JetBrains Gateway with one of the vulnerable IDEs listed above as a backend for Remote development, please update to the fixed version of the corresponding IDE. If it is not possible for you to upgrade, please make sure that the environment variable ORG_JETBRAINS_PROJECTOR_SERVER_ENABLE_WS_SERVER=false is being set upon each launch of the Remote Development Server. This usually implies adding the line export ORG_JETBRAINS_PROJECTOR_SERVER_ENABLE_WS_SERVER=false  to the login shell profile of the user that is used to launch the server. Please make sure that the server is restarted after setting the variable. 

We sincerely apologize for what has happened. Please rest assured that we are taking steps to avoid this issue from occurring again in the future. 

If you need any further assistance, please contact support@jetbrains.com or simply comment on this post.

Similar to the rest of the industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library log4j (all versions between 2.0 and 2.14.1 are vulnerable). We immediately took action to mitigate any potential impacts on our applications and systems. We’d like to provide you with an update.

Actions we’ve taken

We have run an audit of the applications that use log4j and have upgraded to 2.15.0 where necessary. Following is the list of already audited products and their status:

• All IntelliJ platform based IDEs – Not affected.
• All .NET tools – Not affected.
• Toolbox – Not affected.
• TeamCity – Not affected. Investigation details: TW-74298. 
• Hub – Fix was released in version #2021.1.14063 on 13th of December 2021. Please check updates below.
• YouTrack Standalone – Fix was released in version #2021.4.35970 on 14th of December 2021. Details for both Hub and YouTrack: JT-67582. Please check updates below.
• YouTrack InCloud – Fix was released on 10th of December 2021.
• Datalore – Not affected.
• Space – Not affected.
• Code With Me – Fix was released on 13th of December 2021 (only jitsi which is used for calls was affected).
• Gateway – Not affected.
• Kotlin – Not affected.
• Ktor – Not affected.
• MPS – Not affected. 
• JetBrains Account – Fix was released on 10th of December 2021.
• Floating license server – Fix was released in version #30211 on 11th of December 2021.
• Upsource – Fix was released in version #2020.1.1952 on 13th of December 2021.

We are continuing to test our services to see whether they are vulnerable, as a result of using third party components, and if/where applicable, take the necessary actions. We are also monitoring further development of the story.

Actions you should take

If you are a user of YouTrack Standalone, Hub, Upsource, or Floating license server, please make sure you have either updated to the newly released versions or restarted the services with the -Dlog4j2.formatMsgNoLookups=true JVM parameter.

Update 14th December 2021 – 18:25 CET
Administrators of YouTrack Standalone and Hub installations must take further action to secure their instances. Please please refer to the YouTrack and Hub blog posts for further details. Also, the Hub release was in 2021.1.14080 as opposed to 2021.1.14063 listed above.

JetBrains Team

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team
The Drive to Develop