{"id":107562,"date":"2021-01-07T18:47:04","date_gmt":"2021-01-07T17:47:04","guid":{"rendered":"https:\/\/blog.jetbrains.com\/?post_type=blog&#038;p=107562"},"modified":"2021-01-12T13:01:35","modified_gmt":"2021-01-12T12:01:35","slug":"an-update-on-solarwinds-cs","status":"publish","type":"blog","link":"https:\/\/blog.jetbrains.com\/cs\/blog\/2021\/01\/07\/an-update-on-solarwinds-cs\/","title":{"rendered":"Aktualizace informac\u00ed ohledn\u011b SolarWinds"},"content":{"rendered":"<p><strong>Pros\u00edm, p\u0159e\u010dt\u011bte si tak\u00e9 <a href=\"https:\/\/blog.jetbrains.com\/cs\/blog\/2021\/01\/08\/january-8th-update-on-solarwinds-cs\/\">vyj\u00e1d\u0159en\u00ed z 8. ledna 2021<\/a><\/strong><\/p>\n<p>R\u00e1di bychom na\u0161im z\u00e1kazn\u00edk\u016fm poskytli dal\u0161\u00ed informace o <a href=\"https:\/\/www.cisa.gov\/news\/2020\/12\/13\/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network\" target=\"_blank\" rel=\"noopener\">kybernetick\u00e9m \u00fatoku na spole\u010dnost SolarWinds<\/a>. Dnes znovu opakujeme sd\u011blen\u00ed, kter\u00e9 jsme <a href=\"https:\/\/blog.jetbrains.com\/blog\/2021\/01\/06\/statement-on-the-story-from-the-new-york-times-regarding-jetbrains-and-solarwinds\/\">zve\u0159ejnili v\u010dera<\/a> &#8211; v tomto \u00fatoku jsme nehr\u00e1li \u017e\u00e1dnou roli, ani si nejsme v\u011bdomi \u017e\u00e1dn\u00fdch zranitelnost\u00ed na\u0161eho produktu TeamCity, kter\u00e9 by k tomuto \u00fatoku mohly v\u00e9st, a tak\u00e9 si nejsme v\u011bdomi \u017e\u00e1dn\u00e9ho prob\u00edhaj\u00edc\u00edho vy\u0161et\u0159ov\u00e1n\u00ed.<\/p>\n<p><strong>Co je TeamCity a pro\u010d je ve zpr\u00e1v\u00e1ch?<\/strong><br \/>\nTeamCity je n\u00e1\u0161 n\u00e1stroj pro pr\u016fb\u011b\u017enou integraci a nasazov\u00e1n\u00ed software. Slou\u017e\u00ed k automatizaci v\u00fdvoje, testov\u00e1n\u00ed a voliteln\u011b i nasazen\u00ed softwaru. V sou\u010dasn\u00e9 dob\u011b je k dispozici pouze jako samostatn\u00e1 &quot;self-hosted&quot; aplikace, co\u017e znamen\u00e1, \u017ee koncov\u00fd u\u017eivatel je zodpov\u011bdn\u00fd za instalaci, konfiguraci a \u00fadr\u017ebu syst\u00e9mu, v\u010detn\u011b ve\u0161ker\u00fdch nastaven\u00ed zabezpe\u010den\u00ed a p\u0159\u00edstupu.<\/p>\n<p>Na z\u00e1klad\u011b ve\u0159ejn\u011b dostupn\u00fdch informac\u00ed (kter\u00e9 jsou zat\u00edm to jedin\u00e9, co m\u00e1me k dispozici, nebo\u0165 ani spole\u010dnost SolarWinds, ani \u017e\u00e1dn\u00e1 vl\u00e1dn\u00ed agentura n\u00e1s je\u0161t\u011b nekontaktovaly s \u017e\u00e1dn\u00fdmi podrobnostmi ohledn\u011b \u00fatoku), se zd\u00e1, \u017ee \u00fatok na SolarWinds byl zam\u011b\u0159en na jejich proces v\u00fdvoje (co\u017e m\u00e9dia ozna\u010duj\u00ed jako \u00fatok p\u0159es dodavatelsk\u00fd \u0159et\u011bzec). SolarWinds b\u011bhem procesu v\u00fdvoje pou\u017e\u00edv\u00e1 krom\u011b jin\u00fdch n\u00e1stroj\u016f i TeamCity. Av\u0161ak v tomto okam\u017eiku neexistuj\u00ed \u017e\u00e1dn\u00e9 d\u016fkazy o tom, \u017ee by hr\u00e1l n\u00e1stroj TeamCity v \u00fatoku jakoukoliv roli, co\u017e potvrzuj\u00ed i vyj\u00e1d\u0159en\u00ed mluv\u010d\u00edho spole\u010dnosti SolarWinds.<\/p>\n<p>&quot;SolarWinds, stejn\u011b jako mnoho dal\u0161\u00edch spole\u010dnost\u00ed, pou\u017e\u00edv\u00e1 produkt spole\u010dnosti JetBrains s n\u00e1zvem TeamCity, kter\u00fd pom\u00e1h\u00e1 s v\u00fdvojem na\u0161eho vlastn\u00edho softwaru. V r\u00e1mci na\u0161eho prob\u00edhaj\u00edc\u00edho vy\u0161et\u0159ov\u00e1n\u00ed p\u0159ezkoum\u00e1v\u00e1me v\u0161echny intern\u00ed i extern\u00ed n\u00e1stroje,\u201c uvedl mluv\u010d\u00ed SolarWinds. \u201eNa\u0161e spole\u010dnost nena\u0161la \u017e\u00e1dn\u00e9 d\u016fkazy, kter\u00e9 by spojovaly tento bezpe\u010dnostn\u00ed incident s kompromitov\u00e1n\u00edm produktu TeamCity,\u201c \u0159ekl.<\/p>\n<p>Citov\u00e1no listem <a href=\"https:\/\/www.wsj.com\/articles\/solarwinds-hack-breached-justice-department-systems-11609958761\" target=\"_blank\" rel=\"noopener\">The Wall Street Journal<\/a>.<\/p>\n<p>Skute\u010dnost, \u017ee TeamCity je jedn\u00edm z n\u00e1stroj\u016f, kter\u00e9 SolarWinds pou\u017e\u00edv\u00e1 b\u011bhem procesu v\u00fdvoje, podle na\u0161eho n\u00e1zoru vedla ke zmi\u0148ov\u00e1n\u00ed na\u0161eho produktu ve zpravodajstv\u00ed.<\/p>\n<p><strong>Byla spole\u010dnost JetBrains nebo jej\u00ed produkt TeamCity kompromitov\u00e1ny?<\/strong><br \/>\nDoposud nem\u00e1me \u017e\u00e1dn\u00e9 informace o tom, \u017ee by byly TeamCity nebo JetBrains napadeny jak\u00fdmkoliv zp\u016fsobem, kter\u00fd by vedl k takov\u00e9 situaci. Krom\u011b toho, nejen\u017ee prov\u00e1d\u00edme pravideln\u00e9 pl\u00e1novan\u00e9 audity na\u0161eho softwaru, ale nyn\u00ed organizujeme dal\u0161\u00ed nez\u00e1visl\u00fd bezpe\u010dnostn\u00ed audit TeamCity. Pokud v na\u0161em produktu nalezneme jakoukoli zranitelnost, kter\u00e1 mohla v\u00e9st k proveden\u00ed \u00fatoku, budeme v t\u00e9to v\u011bci pln\u011b transparentn\u00ed a budeme informovat na\u0161e z\u00e1kazn\u00edky podle na\u0161ich <a href=\"https:\/\/www.jetbrains.com\/privacy-security\/?fromFooter\" target=\"_blank\" rel=\"noopener\">Z\u00e1sad zabezpe\u010den\u00ed a ochrany osobn\u00edch \u00fadaj\u016f<\/a>.<\/p>\n<p>Za zm\u00ednku tak\u00e9 stoj\u00ed, \u017ee my sami nepou\u017e\u00edv\u00e1me SolarWinds Orion ani \u017e\u00e1dn\u00fd jin\u00fd software t\u00e9to spole\u010dnosti.<\/p>\n<p><strong>Ovliv\u0148uje to va\u0161e IDE a dal\u0161\u00ed n\u00e1stroje?<\/strong><br \/>\nNa\u0161e IDE jsou samostatn\u00e9 n\u00e1stroje a nemaj\u00ed \u017e\u00e1dn\u00fd vztah k TeamCity, krom\u011b toho, \u017ee k jejich v\u00fdvoji pou\u017e\u00edv\u00e1me vlastn\u00ed instalaci TeamCity. Nem\u00e1me \u017e\u00e1dn\u00e9 d\u016fkazy, kter\u00e9 by nazna\u010dovaly, \u017ee s n\u011bkter\u00fdm z na\u0161ich server\u016f nebo na\u0161ich samostatn\u00fdch n\u00e1stroj\u016f bylo manipulov\u00e1no a podobn\u011b jako v p\u0159\u00edpad\u011b TeamCity prov\u00e1d\u00edme pravideln\u00e9 bezpe\u010dnostn\u00ed audity na\u0161ich n\u00e1stroj\u016f a syst\u00e9m\u016f.<\/p>\n<p><strong>Mohu bezpe\u010dn\u011b pou\u017e\u00edvat n\u00e1stroje od spole\u010dnosti JetBrains?<\/strong><br \/>\n\u017d\u00e1dn\u00fd z dosud publikovan\u00fdch \u010dl\u00e1nk\u016f, v\u010detn\u011b \u010dl\u00e1nk\u016f odkazuj\u00edc\u00edch na vy\u0161et\u0159ov\u00e1n\u00ed FBI, ani prohl\u00e1\u0161en\u00ed samotn\u00e9 spole\u010dnosti SolarWinds, nep\u0159in\u00e1\u0161ej\u00ed \u017e\u00e1dn\u00e9 d\u016fkazy o tom, \u017ee by n\u00e1stroj TeamCity m\u011bl n\u011bjakou zranitelnost nebo backdoor chybu, kter\u00e1 by umo\u017e\u0148ovala neopr\u00e1vn\u011bn\u00fd p\u0159\u00edstup k procesu v\u00fdvoje.<\/p>\n<p>Nem\u00e1me tedy \u017e\u00e1dn\u00fd d\u016fvod se domn\u00edvat, \u017ee by n\u011bkter\u00fd z na\u0161ich n\u00e1stroj\u016f mohl b\u00fdt kompromitov\u00e1n, a proto nevid\u00edme \u017e\u00e1dn\u00e9 riziko v dal\u0161\u00edm pou\u017e\u00edv\u00e1n\u00ed na\u0161ich n\u00e1stroj\u016f.<\/p>\n<p>Douf\u00e1me, \u017ee vy\u0161et\u0159ov\u00e1n\u00ed \u00fatoku na SolarWinds bude dokon\u010deno co nejd\u0159\u00edve a vyjasn\u00ed ve\u0161ker\u00e9 dezinformace ohledn\u011b na\u0161ich n\u00e1stroj\u016f a na\u0161\u00ed spole\u010dnosti. R\u00e1di bychom tak\u00e9 zopakovali, \u017ee nab\u00edz\u00edme na\u0161i plnou spolupr\u00e1ci s jak\u00fdmikoli st\u00e1tn\u00edmi \u00fa\u0159ady a bezpe\u010dnostn\u00edmi vy\u0161et\u0159ovateli.<\/p>\n<p>Ji\u017e v\u00edce ne\u017e 20 let je jedn\u00edm z na\u0161ich pil\u00ed\u0159\u016f transparentnost, \u010destnost a pravdivost v\u016f\u010di na\u0161im z\u00e1kazn\u00edk\u016fm a nic n\u00e1s nebol\u00ed v\u00edc, ne\u017e neopodstatn\u011bn\u00e1 obvin\u011bn\u00ed, kter\u00e1 po\u0161kozuj\u00ed na\u0161i pov\u011bst a zas\u00e9vaj\u00ed pochybnosti na\u0161im z\u00e1kazn\u00edk\u016fm.<\/p>\n<p>Velmi si v\u00e1\u017e\u00edme Va\u0161\u00ed podpory a budeme V\u00e1s informovat o jak\u00e9mkoliv pokroku v t\u00e9to v\u011bci.<\/p>\n<p>D\u011bkuji V\u00e1m,<\/p>\n<p>Maxim Shafirov<br \/>\nV\u00fdkonn\u00fd \u0159editel<\/p>\n","protected":false},"author":1229,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","categories":[4918,89,6366,6365],"tags":[],"cross-post-tag":[],"acf":[],"_links":{"self":[{"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/blog\/107562"}],"collection":[{"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/users\/1229"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/comments?post=107562"}],"version-history":[{"count":7,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/blog\/107562\/revisions"}],"predecessor-version":[{"id":107841,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/blog\/107562\/revisions\/107841"}],"wp:attachment":[{"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/media?parent=107562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/categories?post=107562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/tags?post=107562"},{"taxonomy":"cross-post-tag","embeddable":true,"href":"https:\/\/blog.jetbrains.com\/cs\/wp-json\/wp\/v2\/cross-post-tag?post=107562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}