An Update on SolarWinds
Please make sure you also read the follow-up post from the 8th of January 2021
We’d like to provide a further update to our customers in regard to the SolarWinds breach. At this point we reiterate the message we posted yesterday – we have not played any role in this breach, nor are we aware of any vulnerabilities in TeamCity that may have led to this breach, as we are also not aware of any investigation underway.
What is TeamCity and why is it in the news?
TeamCity is our Continuous Integration and Delivery Tool. It serves to automate building, testing, and optionally deploying software. Currently it is only generally available as a self-hosted standalone application, meaning the end user is responsible for installing, configuring, and maintaining the system, including any security and access settings.
Based on the public information available (which to date is the only thing we’re aware of as neither SolarWinds nor any governmental agency have reached out to us with any details regarding the breach), it seems that the attack on SolarWinds was targeted at their build process (what the media is referring to as a supply-chain attack). SolarWinds uses TeamCity among other tools during the build process. However, at this point, as also supported by the statements of SolarWinds’ own spokesperson, there is no evidence that TeamCity had any role in this.
“SolarWinds, like many companies, uses a product by JetBrains called TeamCity to assist with the development of its software. We are reviewing all internal and external tools as part of our investigations, which are still ongoing,” a SolarWinds spokesman said. “The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product,” he said.
as quoted by The Wall Street Journal.
The fact that TeamCity is one of the tools used by SolarWinds during the build process is what we believe has led to the news coverage.
Has JetBrains or TeamCity been compromised?
To date we have no knowledge of TeamCity or JetBrains having been compromised in any way that would lead to such a situation. In addition, we not only run regular scheduled audits of our software, but we are now organizing a further independent security audit of TeamCity. If we are to find any vulnerability in the product that may have led to this, we will be fully transparent on the matter and inform our customers under our Security and Privacy policies.
It’s also worth mentioning that we ourselves do not use SolarWinds Orion or any of their other software.
Does this affect your IDEs and other tools?
Our IDEs are standalone tools and bear no relation to TeamCity, other than the fact that we use our own installation of TeamCity to build them. We have no evidence that would indicate that any of our servers or our standalone tools have been tampered with, and much like is the case with TeamCity, we run regular security audits on our tools and systems.
Am I safe in using JetBrains tools?
None of the articles published so far, including those referencing investigations by the FBI, as well as quotes from SolarWinds themselves, show any evidence that TeamCity has any vulnerability or backdoor that would have allowed unauthorized access to the build process.
As such we have no knowledge or evidence to believe that any of our tools may have been compromised, and consequently do not believe that you are at any risk in continuing to use our tools.
We hope that the investigation with SolarWinds is finalized as soon as possible and clears up any misrepresentation of our tools and our company. We’d also like to reiterate that we offer our full cooperation with any governmental agencies and security researchers.
For over 20 years, one of our pillars has been to be transparent, honest, and truthful with our customers, and nothing hurts us more than seeing unfounded allegations that damage our reputation and instill doubt into our customers.
We highly appreciate your support and will keep you updated on any progress.
Thank you.
Maxim Shafirov
Chief Executive Officer