Log4j vulnerability and JetBrains Products and Services
Similar to the rest of the industry, we became aware on the 10th of December 2021 of the Remote Code Execution vulnerability CVE-2021-44228 in the popular Java logging library log4j (all versions between 2.0 and 2.14.1 are vulnerable). We immediately took action to mitigate any potential impacts on our applications and systems. We’d like to provide you with an update.
Actions we’ve taken
We have run an audit of the applications that use log4j and have upgraded to 2.15.0 where necessary. Following is the list of already audited products and their status:
- All IntelliJ platform based IDEs – Not affected.
- All .NET tools – Not affected.
- Toolbox – Not affected.
- TeamCity – Not affected. Investigation details: TW-74298.
- Hub – Fix was released in version #2021.1.14063 on 13th of December 2021. Please check updates below.
- YouTrack Standalone – Fix was released in version #2021.4.35970 on 14th of December 2021. Details for both Hub and YouTrack: JT-67582. Please check updates below.
- YouTrack InCloud – Fix was released on 10th of December 2021.
- Datalore – Not affected.
- Space – Not affected.
- Code With Me – Fix was released on 13th of December 2021 (only jitsi which is used for calls was affected).
- Gateway – Not affected.
- Kotlin – Not affected.
- Ktor – Not affected.
- MPS – Not affected.
- JetBrains Account – Fix was released on 10th of December 2021.
- Floating license server – Fix was released in version #30211 on 11th of December 2021.
- Upsource – Fix was released in version #2020.1.1952 on 13th of December 2021.
We are continuing to test our services to see whether they are vulnerable, as a result of using third party components, and if/where applicable, take the necessary actions. We are also monitoring further development of the story.
Actions you should take
If you are a user of YouTrack Standalone, Hub, Upsource, or Floating license server, please make sure you have either updated to the newly released versions or restarted the services with the
-Dlog4j2.formatMsgNoLookups=true JVM parameter.
Update 14th December 2021 – 18:25 CET
Administrators of YouTrack Standalone and Hub installations must take further action to secure their instances. Please please refer to the YouTrack and Hub blog posts for further details. Also, the Hub release was in 2021.1.14080 as opposed to 2021.1.14063 listed above.
Subscribe to Blog updates
Thanks, we've got you!
AI Assistant Update – August 2023
AI Assistant is a major new feature of the JetBrains IDE family in the 2023.2 release, offering integration of large language models into the IDE development workflow. The AI Assistant plugin is not bundled with the IDEs and needs to be installed separately from JetBrains Marketplace. One of the pri…
Your Go-To JetBrains Coding Tools Are Ready to Be Updated to 2023.2
We’ve now released the second update of the year for our family of IDEs, including IntelliJ IDEA, WebStorm, PyCharm, DataGrip, GoLand, DataSpell, and other tools included in your All Products Pack subscription. Check out the summaries below and dive deeper to learn more about the products you’re mos…
Remote Development with Coder and JetBrains Gateway
We are pleased to announce that we have joined forces with Coder to provide integration between Coder’s self-hosted cloud development platform and JetBrains Gateway, our remote development solution.
Redocly Brings Enhanced OpenAPI Experience to JetBrains IDEs
Starting from IntelliJ IDEA 2023.2, we have joined forces with Redocly Inc., one of the industry leaders in API documentation solutions. Using Redocly technologies in IntelliJ IDEA, GoLand, PyCharm, PhpStorm, Rider, and WebStorm will help you create clean and functional API docs from which you can r…