Security update for IntelliJ-based IDEs v2016.1 and older versions

We have just released an important update for all IntelliJ-based IDEs. This update addresses critical security vulnerabilities inside the underlying IntelliJ Platform. The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.

While we have had no reports of any active attacks against these vulnerabilities, we strongly recommend for all users to install the update as soon as possible.

Please read more on the issues and ways to update below.

Built-in web server vulnerabilities

The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.

Internal RPC vulnerabilities

Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.

Our huge thanks go to Jordan Milne for disclosing these issues and working closely with us and to Android Studio team from Google for perfect collaboration while working on the fixes.

What to do

To install the update simply select ‘Check for Updates’ from inside the IDE or visit www.jetbrains.com to download the most recent version. If you are using a version prior to 2016.1.x, read below for download links.

For more details about the security update and in case of additional questions, refer to the FAQ below.

FAQ

Q: What products / versions are updated?
A: All JetBrains products built on IntelliJ Platform are affected. The table below shows the minimum versions for which an update is released. If you are using the listed version or a higher one, then you need to update.

Product Updates Available as of Version (build number)
AppCode 2.1 (129.772)
CLion 1.0 (141.353)
DataGrip 1.0 (143.1410.7)
IntelliJ IDEA 12.1 (129.161)
MPS 3.0 (129.350)
PhpStorm 6.0 (129.291)
PyCharm 2.7 (125.57)
PyCharm Edu 1.0 (139.280)
Rider Private EAP builds prior to build 144.5342
RubyMine 5.4 (129.241)
WebStorm 6.0 (127.68)

Q: Are earlier versions affected?
A: We are not aware of similar vulnerabilities in older versions. Built-in web server was introduced in December 2012 (branch 129.x), and the above-mentioned and fixed internal RPC vulnerabilities did not exist in older versions. Still, a possibility of vulnerabilities in older versions exists, which is why we recommend upgrading your IDE if it was released more than 3 years ago.

Q: What products are NOT affected?
A: ReSharper, ReSharper C++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub are not affected and do not need this security update.

Q: I need a full download rather than a patch for an earlier version of the IDE. Where can I download it?
A: Check the previous versions page for your product below. All versions published there contain the security update or are not affected by these two specific vulnerabilities.

Q: I’m unable to update to the latest version. Where can I get help?
A: Please contact us about the problems that prevent you from updating.

Q: I’m building an IDE on IntelliJ Platform. What should I do?
A: Make sure to merge the latest changes from the corresponding branch of intellij-community: the “129”, “131”, .. “145” branches for the “129.*”, “131.*”, … “145.*” builds correspondingly and “master” for the “146.*” or “162.*” builds.) For details please contact security@jetbrains.com or the partner team at busdev@jetbrains.com for any questions or concerns.

Q: I’m using an IDE built on IntelliJ Platform but not from JetBrains. What should I do?
A: We have been in contact with our partners building on IntelliJ Platform. Updates for Android Studio 1.5.x and 2.x should be available already. Please contact the vendor of the IDE for an update. If you have other questions, please contact us.

Q: I’m developing a plugin for IDEs built on IntelliJ Platform. Does my plugin need update?
A: No, plugins are not affected.

Q: I’d like to be notified about security vulnerabilities in future.
A: You can subscribe to the security bulletin at www.jetbrains.com/security/subscribe.

UPDATE: If you’re running on OS X and the IDE doesn’t start after installing the update, please refer to https://intellij-support.jetbrains.com/hc/en-us/articles/208516145 for workarounds

JetBrains Team
The Drive to Develop

This entry was posted in Uncategorized. Bookmark the permalink.

290 Responses to Security update for IntelliJ-based IDEs v2016.1 and older versions

  1. Was the bug exploitable when you didn’t start any server, e.g. when you only developed an Android/Desktop app?

    • Hadi Hariri says:

      The web server is active as soon as you start the IDE, so as such it is vulnerable. The updates will address this problem.

      • Dave says:

        But what if I don’t want the IDE to start a webserver? How do I stop that?

        • I have to agree. Fixing a bug the webserver is fine, but it seems like an unnecessary attack service for most development.

          • Hadi Hariri says:

            The Web Server is used for quite a bit of functionality for the IDE, independently of whether you’re doing web development or not. If we were to disable it, it would remove some of this functionality.

            Right now our main focus has been to address these issues while doing our best to not break any functionality in the products.

            • Pritam Baral says:

              Couldn’t that be served by a Unix socket? Obviously, I don’t know what the webserver is used for; but if all you needed was some form of IPC among locally running processes anyway, it seems there was never a need to expose it to the network.

              • Hadi Hariri says:

                When we discovered the vulnerabilities, our first and foremost objective was to fix them as soon as possible and release updates for all products, without having a major impact on functionality and the workflow of our customers.

                The internal server is not exclusively used for web application development but also serves for other functionality such as the Internal Git SSH support, Http Authorization, Serving Documentation from JAR’s as well as providing a REST API endpoint. Simply disabling it would have caused a lot of functionality to cease. And a testament to this is that currently we are seeing some impact on existing workflows which we’re addressing.

                Our next task will be to look at the viability of making the internal server opt-in and see how we could provide the same functionality via other means or at a minimum make customers aware of the loss of functionality

            • Jennifer says:

              What kind of functionalities would break if web server is removed?

              I am maybe ok with losing functionality I don’t want or that I am not a user of if it is means I am getting an IDE with no web server!

              – Jennifer

            • Vin Wong says:

              Actually, I don’t even know that a web server existing in service.
              I will use Surface 3 as my development device sometime. It is not a great performance device. If I can turn off the web server, I think my device can run a bit faster.

              I see that some of the functions in IDE require the web server but what if we do not use those functions? I will be thankful if you could tell us what kind of functions depends on the web server.

              I also suggest your company add an option to the IDE, let user choose to turn on or off the web server.

            • Sachin says:

              I disagreee

        • Eugen says:

          second that.. please provide steps to ban any web-server starting.

        • hockeymikey says:

          I agree.

        • +1. I have never used, and do not plan to use, the internal webserver. This simply does not make sense for my work. When I started reading this I thought to myself “well that’s fine, I’m not using this anyway”. Then I find out it is started by default. Not cool.

        • Daniel says:

          This a vulnerability that had no reason to exist. As requested above, please provide steps on how to remove the internal webserver or ban it from starting

        • Mark Starr says:

          +1: Yep – I don’t need it started. How do I stop it?

  2. Aleksey says:

    My WebStorm 2016 on Mac become a brick :( Rolling back…

  3. Anton Patrushev says:

    Trying to download OS X version, got this:

    AccessDenied
    Access Denied
    206A530861DFFBA2

    ijfXc1Wn128We6HEdyPzWY1zgutm0lsNlJo3HZZPoJ2vUjmFYRn6+uWtiRkIT7PW52lvT8m/EVY=

    • Eugene Toporov says:

      Really sorry for the inconvenience. But please specify more details. What product and version is it? Thank you

    • Mark says:

      Those look a lot like AWS keys. I think they shouldn’t be posted publicly… you may want to rotate your AWS keys if that’s what they are!

  4. Anatoly says:

    When trying to update an older version of Webstorm (10.0), I receive the following error:

    Failed to download patch file:
    Cannot download ‘http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar’: Server returned HTTP response code: 403 for URL: http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar
    , response: 403 Forbidden

  5. Danny says:

    If I’m using the PHPStorm 2016.1.1 EAP, is that sufficient?

  6. Brady Mulhollem says:

    Can you please document what exactly has been changed? What does IntelliJ now expect requests to include in order to be allowed?

    I was relying on this server in my development environment. I had it integrated with a reverse proxy. That is all completely broken and I can’t fix it because there is zero useful information that I can find.

  7. Daniel Bartholomae says:

    When trying to install the patch (11.0.4) for Webstorm 11.0.3 on Windows 10, Windows Defender removes some of the files due to containing a virus:
    C:\Users\user\AppData\Local\Temp\idea.updater.files.tmp.0\temp.tmp.2

  8. Anton Lazarev says:

    PhpStorm constantly crashing on opening @ Mac OS X 10.10.5

    Rolled it back to 2016.1, thank Odin I have a copy

  9. Paul says:

    What about Project Rider? I checked for updates and it said I had the most up to date version

  10. Andrei says:

    Sorry guys, you have so many bugs in your recent updates, I’d like to wait before install the most recent one.

  11. Alex says:

    Am getting a “java.io.IOException: Couldn’t create PTY” when trying to open a git terminal in PHPStorm. Used to work before the update :)

  12. Mostafa Ali says:

    I tried installing it a couple of times but did not work, kept showing that the release was till 2016.1.1 and I need to update again.

    I am using Ubuntu 15.10

  13. Sébastien says:

    Here, I’ve got another problem. Now, when I run my project (in chromium) Webstorm asks for each of my ressources (webp, webm, png) to “copy authorization URL to clipboard” for validation. My projects contains dozens of resources, that’s not possible to validate each of theses one per one.

  14. Kevin Dahl says:

    When I try to apply the update on Linux (debian jessie/Gnome3) I get DataGrip restarting, but it just says there’s an update again each time it starts back up. Is this a known issue?

    • Kevin Dahl says:

      Seems the datagrip patch is 403:

      [ 18865] ERROR – plication.impl.ApplicationImpl – Connection failed with HTTP code 403
      com.intellij.util.io.HttpRequests$HttpStatusException: Connection failed with HTTP code 403. Status=403, Url=https://download.jetbrains.com/datagrip/DB-145.862-145.863-patch-unix.jar

      PyCharm and WebStorm both updated fine on the same machine.

    • Maksim Sobolevskiy says:

      Hello!
      It is a known issue, we hope to fix it in several hours.
      Thanks!

  15. Philip says:

    I have a question about patching older releases, we are on 14.1.x currently.

    Above in the blog post, it says that, “The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.” Later it says regarding older versions to, “Check the previous versions page for your product below. All updates published after May 10th contain the security update. ”

    After downloading IntelliJ 14.1.7 from the previous IntelliJ releases page, it shows a build date of April 29th, 2016. This seems to indicate that it does not have the fix.
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    1. Is there a fix for 14.1.x?
    2. Can the older releases that are patched with the fix be listed by version number in the blog post, or somewhere else?
    3. Are IntelliJ licenses entitled to free updates and upgrades until a particular date eligible for bugfixes with the security fix (so long as they remain on the same major.minor release)?

    • Eugene Toporov says:

      Philip, yes 14.1.7 contains the fix. We built it earlier and it was being tested internally.
      We’ve actually published it today so, it is later than May 10. But I see the confusion, will see how the text can be improved.
      Thank you!

    • Eugene Toporov says:

      So, all answers:
      1. Yes, there is
      2. All versions of IntelliJ IDEA starting from 12.1.x that are published on https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases include the fix.
      3. These updates are free, so whatever version is available to you can be updated using a corresponding bugfix update, considering it is 12.1 or newer.

      • Philip says:

        Eugene,

        Thanks so much for the clarification and for fixing the older releases.

        I tested with 14.1.7 and can confirm the issue appears fixed (at least with the webserver serving up files in the project directory).

  16. Bas B says:

    Is there a CVE?

  17. msdisme says:

    Is the community version also affected?

  18. Maxim Shirshin says:

    WebStorm 2016 1.2 (the one with the security fix) crashes for me on MacOS after updating (tried applying the patch and doing a fresh install using the distribution file from the website). In the old version, no WebStorm 2016 can be found. What am I supposed to do? Is rolling back to Webstorm 11 the only option?

  19. Dave says:

    I updated to PHPStorm 10 and it didn’t apply half of my exported settings that I imported from v8, and now that JetBrains releases a new *MAJOR* version every 3 months, I don’t want to have to reinstall that often, I’d prefer to just get updates.

    The Major updates need to slow down to allow security patches like this to happen more easily rather than making us reinstall the entire program and risk losing a lot of configuration often.

    • Eugene Toporov says:

      Dave, I’m sorry to hear you have problems with updates and lost the settings. This of course should not happen.
      I just want to share that our plan is exactly to move to smaller, incremental updates rather than big “major” ones. This is what we’ve started with moving away from so called major versions 8->9->10 to a year-based versioning.
      And yes, we should improve our patch installation routines. This is a major task for the team.
      Thank you very much for the feedback.

  20. jth says:

    Nice update, lose all settings, all configuration in all projects and all the local history. Epic win guys, epic win… This + lots of troubles recently (many crashes), I’m tired of this… where is the time when everything just work properly ? One year ago ?

    • jth says:

      You are going too fast, you’re losing it

    • Hadi Hariri says:

      You shouldn’t have lost anything. Could you maybe provide us with some more information of your settings?

      • Edward says:

        We shouldn’t, but that’s what happened. Our entire team lost all the mentioned configurations. This is ridiculous and unacceptable

        • Hadi Hariri says:

          It is completely unacceptable, I agree.

          Can you please provide me with more details of the product you updating, from which version, and what files went missing? You can reach me on hadi@jetbrains.com or if you prefer to log the issue and send me the ID.

  21. Oliver says:

    (quote)
    The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
    (end_of_quote)

    It would mean that I need to display a malicious website from within the IDE?
    If I never display web content inside the IDE I am safe?
    Am I getting this right?

    • Eugene Toporov says:

      Oliver, no not from within the IDE. A page can be open in the browser.

    • Roy van Rijn says:

      I don’t think so. If you have IntelliJ or WebStorm running there is a webserver running on port 63342. The files here can be accessed from any website through any browser you’re using. I think this is the problem (there are not many details known).

      • Oliver says:

        Okay. So for me it is: while having the IDE open do not browse on any other websites than the ones of your own projects.
        Thanks for clarification.

        The hot-fix-updates seem to be a little too hot for me reading all the problems mentioned here. So I prefer to not install these until they
        themselves get fixed.

        The above will do it for me until then.

        • Michael says:

          I still don’t get it how exactly the security issue can be used / avoided. As I see it there are two bugs mentioned that have been fixed. For both you need to open a malicious website in any browser and have webstorm started? Then the webpage gains access to the webstorm ports so it can possibly control webstorm? Is that correct?

          The malicious website could access any file that webstorm has open or can open? So basically any local file? The website could also control some functions of the IDE and read metadata about the IDE? Is that correct as well?

  22. obe says:

    JetBrains – I like your company a lot and I’m very impressed with your products, but you really should up your QA and delivery processes.

    Your releases are often at Beta level, and I don’t think that I even once updated a product without seeing some sort of regression in a common functionality.

    Honestly, unless there is a specific feature I really really need – I am reluctant to upgrade for fear of what would be broken. The moment I saw your email about this security issue – I thought to myself – “ok, mental reminder to update my JetBrains products in 3-4 weeks when their patch reaches production level”. In other words: I am more afraid of upgrading than I am of an attack, even with this issue now being out in the open…

    Guys – keep up the good work and just slow down. Give bug fixing a higher priority. Educate your developers to test everything they do before they deliver to QA. Keep up the open communication with the community but don’t treat the community as a group of beta-testers…

    • Hadi Hariri says:

      Thank you for the feedback. We’re listening and we’ll do our best to improve.

      • Jennifer says:

        What kinds of testing are done in the now? Black box testing? White box testing? Unit testing? Usability testing? Integration testing? Hands on testing? Automatic script testing?

        Will web testing now be done of the web server?

        – Jennifer

        • Hadi Hariri says:

          We do Unit Testing, Integration Testing, Hands-On Testing and some of this also includes automatic scripting. And we try this with as many VM’s and OS’s as we can, but obviously not enough.

          In terms of White box/Black box, both but it very much depends on the context of the code too.

  23. Arthur Guimaraes de Oliveira says:

    Whats going on?! I Get an email with some important security update, and after updating it webStorm wont start! it became a brick! I already tried uninstalling and nothing. I got a deadline that I need to meet!!!

  24. Pablo says:

    For the records, at least with PyCharm the «Download» button in the «Platform and Plugin Updates» dialog will take you to the site downloads page, where only the latest version is directly available. Those like me who have an old license will find the version that is actually mentioned in the dialog (5.0.5 in my case) behind the «Previous versions» link, in the opened page. Or simply go here: https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases

  25. Tom Metcalfe says:

    Im getting

    hi I’m seeing the ‘PHPStorm quit unexpectedly’ error. Here is the first bit of the debug details:

    Process: phpstorm [894]
    Path: /Applications/PhpStorm.app/Contents/MacOS/phpstorm
    Identifier: com.jetbrains.PhpStorm
    Version: 2016.1.1 (PS-145.970.40)
    Code Type: X86-64 (Native)
    Parent Process: ??? [1]
    Responsible: phpstorm [894]
    User ID: XXXXXX

    Date/Time: 2016-05-11 17:12:29.114 +0100
    OS Version: Mac OS X 10.10.4 (14E46)
    Report Version: 11
    Anonymous UUID: XXXXX

    Time Awake Since Boot: 550 seconds

    Crashed Thread: 0 AppKit Thread Dispatch queue: com.apple.main-thread

    Exception Type: EXC_BAD_ACCESS (SIGABRT)
    Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030353230

    VM Regions Near 0x30353230:
    –>
    __TEXT 0000000100af3000-0000000100afc000 [ 36K] r-x/rwx SM=COW /Applications/PhpStorm.app/Contents/MacOS/phpstorm

    Application Specific Information:
    abort() called

    Thread 0 Crashed:: AppKit Thread Dispatch queue: com.apple.main-thread

      • Aaron Mendez says:

        I receive essentially the same crashlog with Webstorm. This after downloading a fresh installer, and already having javac 1.6.0_65. My OS Version is 10.10.5, and upgrade to El Capitan is against my company’s IT policy at the moment. This has left WebStorm bricked. Good thing I’ve got NeoVim.

        • Aaron Mendez says:

          OK, I take this back. It wasn’t clear that the Java needed is the old “Java for OS X 2015-001” – see https://support.apple.com/kb/DL1572?locale=en_US

          After installing this additional Java, WebStorm now starts.

          The Apple page states: “This package is exclusively intended for support of legacy software and installs the same deprecated version of Java 6 included in the 2014-001 and 2013-005 releases.”

          JetBrains: this seems like an embarrassing and dangerous dependency. Hopefully you’ll be able to move away from it soon.

          Thanks for the fast workaround info.

  26. James Howe says:

    So how do I get inline documentation to work again?
    I press Ctrl+Q and now get “Fetching documentation…” in the doc window and the new prompt:

    Page ‘http://localhost:63342/P…letRequestAttributes.html’ requested without authorization,
    you can copy URL and open it in browser to trust it.

    I follow those instructions and try again, but just get the prompt again.

  27. Lor says:

    What happened to font in PhpStorm on Linux? It looks slightly different (bold and GUI font). Does it happens only on my machine?

    • Konstantin says:

      I got the same issue.

    • Jennifer says:

      Can you show us screen shot so we can see what it look like?

      – Jennifer

    • Kaijia says:

      Me too. Cannot fix it.

    • Thomas says:

      I’m seeing the same, not sure if it’s broken now or fixed from the last release (which I remember also looked quite different). The editor font looks a little more crisp, but project view and tabs etc are far bolder than they used to be. The blue text colour everywhere for modified files is also quite intense when you have a lot of changes, but could get used to it.

    • BoraMa says:

      I got the same issue too, under Ubuntu Linux. Bold fonts appear significantly bolder than in 2016.1. I tried the newest bundled JDK (from here https://youtrack.jetbrains.com/issue/IDEA-57233#comment=27-1432397) but it was the same. But when I copied the jre folder from the 2016.1 version over to the new version, the fonts DID return to their previous appearance. Nevertheless, after a day, I got somehow used to the new fonts.. will probably give them a try and see…

  28. Gunnar Ahlberg says:

    The upgrade went fine on my Windows 7 from 2016.1 to IntelliJ IDEA 2016.1.2
    Build #IU-145.971, built on April 29, 2016

    Keep up the good work guys

  29. Tom Clement says:

    Roy, you say: “If you have IntelliJ or WebStorm running there is a webserver running on port 63342”.

    My question is, what happens if we use a firewall to block that port. What functionality of IntelliJ would be affected and how?

    • Eugene Toporov says:

      Tom, if you block the above port the IDE will pick another one.
      You are welcome to contact our support team for more clarifications.

  30. Rey Bango says:

    Hi just to confirm, is the security issue only present when the IDE is running or is it also an issue when it’s closed down?

  31. Jörgen Persson says:

    Rider says I have the latest update. See screenshot: http://pasteboard.co/QBlaAKt.png
    However, the answer Eugene Toporov says in this post suggests that there are later release made: http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254173

    • Daria Dovzhikova says:

      Hello Jörgen,

      Did you receive an email on around April, 25 with the links to download build 144.5342? At this point it is the latest one.

      • Jörgen Persson says:

        I searched my emails and found it and have now downloaded the latest. I still think it’s weird though that the app says I have the latest version when I obviously haven’t.

        • Daria Dovzhikova says:

          Jörgen,

          Sorry for the confusion, but Rider is still in the early stage of development, thus not all the features are available.

  32. Andrea says:

    I have IDEA 12.1.6. While installing security update 12.1.8, it asks whether I would like to uninstall IDEA 12.1.6 because it is an older version.

    I thought I am downloading a patch. Should I uninstall 12.1.6 in order to install this security update version 12.1.8?

    • Eugene Toporov says:

      Did you do the ‘Check for updates’ from the IDE? Which option did you then select?

    • Nikolay Chashnikov says:

      We provided update via patch only for IDEA 12.1.7. So in order to update to 12.1.8 from 12.1.6 you indeed need to install 12.1.8 from scratch. You may uninstall 12.1.6 later, after checking that 12.1.8 works properly for you.

  33. Jordi Tudela says:

    Trying to download OS X version for PyCharm 3.0.3 Professional, got this:

    AccessDenied
    Access Denied
    CF916CB08E37491C

    IXcVJNkD6V+exkms+Ersjg9BBlumwXqPbm6856MEloG/j67Pnn3lbYmSAP8zO4cLbmX6pYPbhSI=

  34. Philip says:

    Downloaded ideaIU-12.1.8.dmg as I only have a valid license for 12. Did the update but when I start IntelliJ now I get the famous Gatekeeper message: “IntelliJ IDEA 12” can’t be opened because it is from an unidentified developer. Why and do I have to worry?

  35. steward says:

    Oh hell not again.
    We won’t get just this patch, we’ll get a bunch of new bugs and changes to the way things used to work. I cannot take the time to gamble.

    I strongly urge the team to focus on a stable release that lasts forever.
    After six years of paying, that’s enough. I had what I needed long ago.

    Ever since it has been a nightmare cycle for your sake, not mine.

    • Nikolay Chashnikov says:

      Which version of which product do you use? The updates for IDEA 15.0.5 and IDEA 2016.1.1 indeed include many other changes, but the patches for older versions (14.1.6, 14.0.4, 13.1.6, 13.0.4, 12.1.7) consist mainly of changes related to security fixes, so they shouldn’t introduce new bugs or change behavior of the IDE.

  36. v6ak says:

    What ports are used? Is there somewhere documented what is provided by the server?

  37. Ravi says:

    Why th fk is it downloading the full IntelliJ IDE and not just the patch?

    • Eugene Toporov says:

      Sorry about it. We’ve provided as many patches as we could but were unable to create them for some. Which version are you trying to update?

      • Jennifer says:

        Can you post list of products and versions that have patch and products and versions that do not have patch but have full download?

        – Jennifer

  38. Carl says:

    Why the hell is IntelliJ running a web server in the first place?? Did I ASK you to fire-up a random web server on my dev box??

    And the absolute LAST thing I’m going to do is download your so-called “patch”. During the past year JetBrains has demonstrated its so incompetent at writing software, I’m never buying a new version from you again!

  39. Fadeleaf says:

    I updated IntelliJ Ultimate today. It now doesn’t load a ton of plugins (Java EE, Spring MVC, and the list goes on and on). So my projects won’t load properly. This basically bricked my projects.

  40. Jennifer says:

    Was this security problem caused in any way by the switch to subscriptions?

    http://blog.jetbrains.com/blog/2015/09/03/introducing-jetbrains-toolbox/
    http://blog.jetbrains.com/blog/2015/09/18/final-update-on-the-jetbrains-toolbox-announcement/

    I am confused why an IDE would have an internal web server?

    Like CLion which maybe I am wrong but I do not think it is used for web developments.

    Why would it have an internal web server with bugs?

    Your clarifications are so very desired!

    – Jennifer

    • Hadi Hariri says:

      Jennifer,

      No. This is completely unrelated to switch to subscriptions or JetBrains Toolbox. This web server functionality has been there for quite a number of years and this is why we’re providing back-ports of up to 3 years.

      As mentioned previously, we use the internal web server for different functionality such as documentation

  41. Carl says:

    Here’s a faster and more reliable solution that works 100% of the time on OSX:

    1) Download Little Snitch
    2) Block ALL inbound and ALL outbound access for JetBrains products (except the sites you WANT to access)

    …And seriously JetBrains, FOUR open ports and THREE outbound connections, including something that looks an awful lot like realtime behavior tracking?

    I am SO rotating my passwords and SSH keys!

    • Hadi Hariri says:

      Hi Carl,

      We don’t have any type of realtime behaviour tracking. The only usage statistics we collect, which is opt-in and configurable via Preferences, is sent to us with your consent (and always anonymously), and is not realtime.

  42. Jennifer says:

    Is there any risk to my source codes? If I used vulnerable IDE and accidentally visit page that uses this attack without my knowledges is there chance it would update my source codes? Does web server bug give write access to my files in the IDE? Could malicious web page put malicious code in my source codes without me knowing of it? Should I audit all of my source codes to make sure they were not modified?

    Much thank you!

    – Jennifer

  43. Torsten says:

    Hi,

    I run version 10.0.2, our company license was valid until November 2015. You write me, I have to update, even older versions, so I downloaded and started the update, but I can’t unlock it, neither the key works nor the login with credentials. Both tell me its expired.

    I don’t understand, why you make such a big thing out of this update, when you then don’t allow me to run the program (I am not starting a 30-days-try-out-time now and I am pretty sure, that the company won’t pay again at the moment…).

    Is this just “marketing” or how can I get it to work?

    Cheers,
    Torsten

    • Torsten says:

      … and now I am pretty much confused. I stopped PhpStorm, and started the old version (as I was not able to put in the key for the new one). Now I see, that the name is now “PhpStorm 10.0.4”! I checked: it is really code inside the old folder that is running, I see that the old config files are updated. The program still runs if I rename the folder of the new download and the new created settings (so not a mix between old and new config and installation). Now I also checked inside the old folder, the application and some subfolders are updated (at least they have a datestamp from today).

      So basically you give a new version to download, that can’t be installed, but patches secretly the old version in the background?

      Ok – I am thankful, that I can get a free patch and security update, but why can’t it be communicated that way? At least you should tell, that you instead of installing a new version in a new folder you (also) update and overwrite old code and not just do that in the background.

      An extremely odd experience. I hope it did not crush anything in that confusing “setup” and the title is showing a successful patch and not just
      a half way overwritten config file.

      Cheers,
      Torsten

      • Hadi Hariri says:

        Torsten

        Not sure I understand what exactly has happened, but you should have received any update free if they were within the versions we provided support for. It should have also applied to the version you had installed.

        In any case we apologise for the issues. Is it all sorted now or can we help in any way?

  44. Python Pro says:

    Please add an option to disable the internal webserver, with documentation explaining what impact this exactly has.

    I pay annually for this product and I expect nothing less. If this is an unreasonable request I’ll take my business elsewhere.

  45. Nate says:

    Updated PyCharm with this update and now it’s telling me I’m unlicensed :( Not good. Gotta dig through old emails to hopefully find my license code.

  46. Tom P says:

    To anyone who has ssl handshake_refused errors after this update, try downloading java8 from the java website.

    I was previously using java6 mac, svn worked on commandline but not phpstorm.

  47. Eric Stein says:

    Hey.. uh… the links on the download page (https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases) that PyCharm sent me to when I used “Check for Updates” are pointing to a plain HTTP URL and there are no hashes posted or gpg signatures.

    But if I tweak the download URLs to be https instead of http, I can still download. Please just update the URL schemes… not exactly awesome to post a security update in a way that can be MITMed.

  48. Narra Jbsd says:

    Just would like to leave a positive comment here, in appreciation of what the JetBrains team appears to have done right on this.

    – Jumping ahead, I have the new PHPStorm EAP 145.970 installed — and it says it was built on 3 May This indicates, I belleve, that the team did indeed do substantial testing before releasing the new software. Remember also that they did not do it on Monday, either.

    – Does it work? It appears to work fine. All my history is present, settings and so forth, even the certificate signon for a vagrant ubuntu vm just installed. PhpStorm opened on my last work, just as it had before taking the upgrade.

    – On what platform am I reporting this? Windows 10, all latest upgrades Tuesday and today.

    – What precautions were taken? After reading above, I copied .idea folders from each project that had them, and I copied the various .WebIde* and .WebStorm* folders from my Users folder on W10. None of these appear to be altered, which is as it should be, before I have changed anything in the projects with the new release. Webstorm* exists because I ran the EAP for it until the improved JavaScript debugging made it into the PhpStorm EAP.

    – would also like to compliment the team on the eager reply and early solutions they are providing for the cases where things haven’t gone perfectly. I think it’s expected to find some of that when you make substantial changes to a complex architecture — especially when it involves security permissions. But other things about build environments can slip through also, as we should all know.

    A big thank you to JetBrains for taking on and executing this challenge. I had thought something big was in the works, as the always appreciated developing upgrades had gone silent for a little while.

    Kind regards,
    Clive

  49. Tom Clement says:

    Hi Eugene, We have shipped a product based on version 12.1.7. Does the patched version 12.1.8 contain changes other than the security fix that would require additional testing?

    Thanks

  50. Bob Stein says:

    I’m running PyCharm 5.0.3, Pro edition (for Django and Flask support) on Windows 7 Pro 64bit. My subscription expired Jan 30, 2016. I can’t afford to renew right now. Is the best I can do to keep running 5.0.3? Should I run PyCharm-professional-5.0.5.exe from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases
    ?

    Apologize for asking for help with old versions. I don’t begrudge you guys the fees, it was totally worth it. I just wonder if this security update is possible for me. The about screen says I have perpetual fallback license for this version (5.0.3) but not sure what that means. Thanks!

    • Dmitry Filippov says:

      Hi Bob,
      you had an old-style licensing subscription, that implies you have perpetual license for any major PyCharm Professional Edition versions(releases) within your subscription period. Given the fact your subscription expired on Jan 30, 2016 you have perpetual license for PyCharm 5 AND for all bug update versions of PyCharm 5 regardless of their release dates. Effectively that means you can upgrade to PyCharm 5.0.5 for free.
      We strongly encourage you to update to PyCharm 5.0.5 as it contains very important security bug fixes. In your case, please download the full installation distribution from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases and run the installer. It will suggest you to remove the previous installation, keeping all your settings.
      I hope my answer helps.

      • Bob Stein says:

        Thanks very much, Dmitry, for the multiple clarifications! All set running 5.0.5 on laptop and desktop.

    • Oliver says:

      +1 same situation here

  51. Pingback: Emergency Patch Issued For Android Studio And IntelliJ-Based IDEs To Close Up Two Serious Security Vulnerabilities – my android

  52. Kyle Zhang says:

    Can we disable the anti-CSRF authorization of built-in server?

    Thanks

  53. Nagamohan Magadi says:

    Pre-update:
    http://localhost:63342/********/index.html#/login

    Post-update:
    http://localhost:63342/*******/index.html?_ijt=o7vnqa59dvtjo34204as5bdssp#/login
    +

    Page ‘http://localhost:63342/in…/login’ requested without authorisation,
    you can copy URL and open it in browser to trust it.

    Why is this happening and what’s the fix?? Pages are not loading properly since the update

    App: Webstorm 2016 on Mac OSX

    • Nagamohan Magadi says:

      Edit:

      App: Webstorm 2016.1.2

      • Ankit says:

        Is any fixes found, or any option to get rid of it, it breaks the protractor test from running..?

        Thanks

    • Alexey says:

      This _ijt= is also breaking our dev/test flows. We load resources from a Chrome extension and can’t pass that parameter there conveniently. Need a way to disable this!

  54. Kyle Zhang says:

    I want disable the authorization of the built-in server, how can I do that?

    • Hadi Hariri says:

      Currently this is not possible.

      • Kyle Zhang says:

        I went back to Webstorm 2016.1.1 and wait for a configure to disable or white list to achieve anti-CSRF flaw.

        I was using reverse proxy with built-in server. but now, it’s too difficult to config the proxy rule. Of course, I have tried append the authorized cookie to every request session, but not all files success.

        Can I temporarily disable the configure by change some file content( like source code)?

  55. Kamen Davidkov says:

    Hi,

    I have WebStorm 11.0.1 and I’m not able to update it.
    The error I recieve is:

    “Connection failed (connect timed out). Please check network connection and try again.”

  56. Jari says:

    Where is the updated version for 10.5.4 located ? On the old versions dowload page there is still the version 10.5.4, not 10.5.5.
    Thanks!

  57. cas twue says:

    I want a patch fo 14.1.5 no the full IntelliJ IDE, can you provide a patch for the version? Thankyou

  58. Oleg Muravskiy says:

    After update I get “Page ‘http://localhost:63342/m…jar/resources/inherit.gif’ requested without authorization, you can copy URL and open it in a browser to trust it.” while browsing javadoc for a class. After this IntelliJ just hangs :(

    This probably resolves CORS issue, but I don’t think this is how it’s supposed to work :)

    IntelliJ IDEA 2016.1.2, build IU-145.971.21

  59. Michael Hodgins says:

    Hi guys. Just updated; the only bugs I’ve discovered so far are that Presentation Mode and code zooming no longer work. It’s a good job I’m not doing a presentation today!

    • Hadi Hariri says:

      Hi Michael,

      Is this with IntelliJ IDEA?

      • Michael Hodgins says:

        Hi Hadi. No, it was with PhpStorm and WebStorm. I don’t know what’s happening, because Presentation mode has started working again, though not the feature where I can pinch to zoom in on code.

  60. Johan says:

    After installing the security patch javadoc doesn’t work in IDEA (version 2016.1.2). All I get after pressing CTRL-Q on a method is dialogue saying “Page ‘http://localhost:63342/…./Awaiting.html’ requested without authorization, you can copy URL and open it browser to trust it.” where Awaiting is the Java class I wanted to view the documentation for.
    So after the update it’s not possible to view Javadoc inside IDEA any longer.

    How do I fix this or work around it?

  61. Neil Laurance says:

    Is there any report from the license server that can show the version each developer is using?

  62. Bryan says:

    I’m having a problem with error 404 when using localhost to view my site. I’ll try and send details but for now can you give me a link to download 11.0.3 please because I need to get on with my work and I’m hindered by the update.
    Thanks
    Bryan

  63. Sela Yair says:

    Do I need to pay to get the security update?

    • Eugene Toporov says:

      No, an update for any version that you currently have license for is free

    • Hadi Hariri says:

      If you have an active subscription, no. If you do not and your version is under some of the ones we cover (which we go back up to 3 years), then also no, it’s free. If you could tell me what product and version you have then I could tell you for sure.

  64. Arulan Pari says:

    Hey, in drupal *.install extension are not working

  65. Darek Krzywania says:

    After the update I can’t use my license key. The system tells me the key is already in use.

  66. Chris says:

    Same here.. im pissed! the last updates messed up my configuration here and there and altered things i dont like. Its a pain to find the right option because there are thousands of them.. AAAAAAAAAAAAAAARGH 😀 I hate this red border around function pararmeters i see everytime i use the autocomplete function.. thank you for this one! More colors.. the people need colors !!!! :)

    I dont need help.. i just needet to let some steam out of my head!
    I feel better now, Have a nice day everybody.

  67. Zachery Hysong says:

    It would be fantastic if you made a launcher / updating platform like Adobe does for Creative Could. Then you could just push the updates out to all the IDEs at once. It would save a lot of time for people like me who have almost the whole suite installed on multiple PCs.

  68. Pavel says:

    Open files via ajax gone on open in browser preview :(

  69. Michael Bennett says:

    I am getting the same error around terminals (http://cmder.net/) cmder.

    command line is: cmd.exe /K “c:\dev\cmder\vendor\init.bat”

    error: java.io.IOException: Couldn’t create PTY

    Was working 5 minutes before applying the upgrade…

  70. Joshua Dockins says:

    I am on a Linux Mint machine. I tried to update pycharm from 2016.1.2 to 2016.1.3 but nothing happened after the restart. Still on 2016.1.2. Is there a fix being worked on to allow the 2016.1.3 update on Linux Mint machines?

    • Dmitry Filippov says:

      We have one patch for all Linux distributions. So it should work for Linux Mint as well. What happens if you check for updates once again via Help | Check for updates? If there’s an update still available please try again. If not, you can download the full installation from the download page: https://www.jetbrains.com/pycharm/download/#section=linux
      please install 2016.1.3 along with your current installation, and only after that delete the old version. All IDE and project settings will be preserved in this case.
      We haven’t got any complains about linux patch updates until now, if you see there’s a problem still existing, please fill this form to contact the tech support: https://intellij-support.jetbrains.com/hc/en-us/requests/new?ticket_form_id=66731
      They’ll be able to debug your problem.

  71. Vipin K says:

    Hello,
    What would be the major impact on the application developed for Android client ?

    Thanks!!

  72. Joel Wochele says:

    Getting
    Refused to execute script from ” because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
    after the update.
    Any detailed informations what has changed with the update?
    Or suggestion where I can start tracking down the error?

    • Vladimir Krivosheev says:

      We set header “X-Content-Type-Options: nosniff”. Please ensure that your web server set correct Content-Type for script files.

  73. Vojislav says:

    Couldn’t you just make webserver bind only to loopback interface? No need for it being accessible over any other interface present I reckon? That is, if I undrestood correctly that those vulnerabilities can be exploited remotely while running intellij IDE?

  74. Pingback: How I Fixed: PHPStorm 2016.1.1 Weird Graphical Glitch | Code Review Videos

  75. Shmulik Alfandari says:

    I am using IntelliJIDEA version 14.1.4
    From where can I download the security patch?

  76. Bill Tsapalos says:

    I am trying to find out more about the CSRF vulnerability.
    According to the description if I understand correctly it looks like a Local File Inclusion (LFI). Where can I find more info about this vulnerability?

    Thank you in advance,
    Bill

  77. Maier says:

    /abc.html
    /abc.js

    http://localhost:63342/abc.html (Success)
    http://localhost:63342/abc.js (404 Not Found)

    How to visit the file(abc.js) now?

  78. Franziskus Karsunke says:

    Beside all the negative comments here I wanted to say thank you to the Jetbrains team for the communication in this case. Also providing an update down to IntelliJ 12.1 is very nice of you guys!

    Keep up the good work!

  79. D Deryl Downey says:

    Hadi,

    Tell the guys and gals I said Thank You! I’ve the entire suite of toolsets from JetBrains, licenced under your Education program, and the updates went flawlessly. I was actually expecting a bunch of issues as I also run Windows Insider Preview Build 14342.rs1_release.160506-1708 of Windows 10 on that machine. Zero issues here.

    I’ve had cause to have issues with you guys before (using RubyMine). Not a single one the last 2 rounds since installing the 2016 releases. Much improved, much appreciated, and good job!

  80. Peter says:

    Hi,

    2 quick questions:

    1.- If i don’t start the IDE, there are no vulnerabilities. Is that correct? Does the webserver starts when windows starts? Or only when i open Android Studio?

    2.- If we have a very old version of android studio, is that vulnerability in those old versions? (like Android Studio 1.0.2 for example).

    Thank you.

  81. cowst says:

    Any plan to make updates work again on Ubuntu?

    • Eugene Toporov says:

      Updates should work on Ubuntu. Do you experience any issues?
      Please note that we were unable to provide patch-updates for all combinations and in some cases it is necessary to download a full installer. Sorry for the inconvenience, if this is the case for you.

  82. The IDE doesn’t even start after the security update. Good job guys, please continue. As a paying customer, I absolutely enjoy doing alpha testing.

  83. concerned_intellijayer says:

    I’ve just installed Mac OS X v15.0.6 of IntelliJ Ultimate, downloaded from
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    But on clicking ‘About IntelliJ IDEA’ I see
    IntelliJ IDEA 15.0.6
    Build #IU-143.2370, built on April 28, 2016

    That’s a long ways before the announcement of this vulnerability on May 11th.

    Could you please confirm that Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?

  84. SeanR says:

    Today I installed the Mac OS X v15.0.6 version of IntelliJ Ultimate, downloaded from
    https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases

    But on clicking ‘About IntelliJ IDEA’ I see the date of the build comes before this announcement. I really would just like confirmation that the Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?

    There are widespread concerns here that 15.0.6 does not contain the fix due to this date discrepancy.

    Thank you!

    • Eugene Toporov says:

      Sean, thank you for the feedback.
      The build date is earlier than the announcement date because it was really built earlier. We had to prepare and test updates for many versions of many products and therefore some were built earlier and were waiting for the announcement and were being tested internally. The v15.0.6 published at the Previous Releases page does contain the security vulnerabilities fix.

      -Eugene

  85. Eric B. says:

    Is it possible that the update affected the Upsource Plugin ‘Test Connection’ feature? When it takes me to the Chrome to authenticate, it fails to return to Upsource after I authenticate. It instead directs Chrome to URL like so: https://localhost:3100/?code=XXXX . And Chrome shows ERR_SSL_PROTOCOL_ERROR, “This site can’t provide a secure connection”.

    • Artem says:

      Hi Eric,

      Redirect to localhost is an expected behavior, so the security update shouldn’t be a cause here.

      The most interesting thing that redirect should go to http://localhost… but not to https://..

      Perhaps you have some proxy configuration (like http_redirect) that causes this behavior?

  86. Ikhtiyor says:

    Copy authorization url to clipboard popup is annoying in WebStorm. Each time when you refresh the browser with clear cache we need to copy new generated url and then paste it to address bar and so on so force. I think this is not fix but just workaround to resolve an issue.

  87. be;lle says:

    i updated to the latest version and then all my previously compiled programs start giving error messages,pls how do i fix it

  88. ayoub bougsid says:

    Thymeleaf still not working when using spring boot is any fix are going to came soon ?

  89. Eric P says:

    Can you summarize any open issues with this update so we can decide if it’s ok to upgrade?

    • Eugene Toporov says:

      Eric, do you mean if there are any issues related to update installation?
      Please let me know which version and which product.
      I can also recommend to check with our support team (https://intellij-support.jetbrains.com), they should be able to give you a qualified answer.

      • Eric P says:

        Eugene,

        Right, will I hit one of the issues people have run into above when I update to avoid this security issue.

        I’m using Webstorm 11.0.1. Build #WS-143.382 for Windows

        Thanks,
        Eric

  90. Bart says:

    Every time I dare update my IDE, the new version says it will uninstall the old version. But it never says if all my setting will be preserved (subversion, etc.) so I exit out. Will updating IDEA from 14.1.3 to 14.1.7 cause a disruption in my work, as I am in the middle of major code changes, but I keep getting warned about having to update.

    • Eugene Toporov says:

      Bart, the uninstall of the old version is optional. Also, the settings are stored separately in a system folder, so uninstallation should not delete them too.
      To be safe you can back up your IDE settings using File->Export Settings from the IDE.
      You are welcome to contact our support team at https://intellij-support.jetbrains.com/ if you have more questions.

  91. 游莉雅 says:

    I want JetBrains for learning!

  92. Marcelo says:

    Hello.

    I’m using Rubymine v2016.1 Build #RM-145.597 on Linux and I got a update notice.

    Tried to update, the patch is downloaded, but after the restart the version is not updated. Strange.

    If I check for updates, there they are again. It was not applied.

    I’m running as administrator every time I tried to update.

    Thanks!

  93. Steven Holloway says:

    This version is totally broken for me.
    UI locks ups immediately upon reaching a breakpoint.
    UI locks after about 1.5 hours of editor use with no server running.

    • Eugene Toporov says:

      Sorry to hear this Steven.
      Please contact our support team with more details so they could try to help resolve the issues.

  94. Zachary Markham says:

    When trying to run using a custom Run/Debug configuration I’m constantly getting the “Page ” requested without authorization,
    you can copy URL and open it in browser to trust it.”

    My run configuration has some custom URL params that are required so I have to copy the authorization URL from the prompt, get the auth param, and append it to my original URL. Is there not an easier way to do this? It’s really annoying. Can the param not be auto appended when using a Run configuration?

  95. Sergey says:

    After pressing button “update and restart” phpStorm downloads something (progress bar completes), IDE restarts but IDE version dont changes and it says that need to update again. I pressed “update and restart” 5 times and nothing changes after IDE auto restart.

    • Eugene Toporov says:

      Hi Sergey,
      I’m sorry about the problem and thank you for reporting.
      In this case I’d suggest to download the complete installer. Which version are you trying to update, btw?

      • Sergey says:

        I`m trying to update:

        Build version: PhpStorm 10.0.3 Build #PS-143.1770 January 8, 2016
        Java version: 1.8.0_51-b16x86
        Operating System: Windows 7 (6.1, x86)

  96. Canuteson says:

    I have a Perpetual fallback license for PyCharm 5.0.5, which is not valid for 2016.2. The post states there are patches for previous versions, but the Pycharm links have the latest Pycharm 5.x line showing an old build I already have:
    https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases

    Can you please clarify how people on 5.x can patch without upgrading to 2016.2.x?

Leave a Reply

Your email address will not be published. Required fields are marked *