Important Security Notice – MPS 3.4.4 fixes a security issue with local storage
One additional improvement to MPS 3.4 has been released – MPS 3.4.4 is now available for download. In addition to the usual dose of fixes, which you can check out in the release notes, this version fixes a security vulnerability.
On February 1, 2017, we discovered a security vulnerability in the MPS dialog for submitting exceptions to YouTrack. The dialog allows you to submit problems that occur in a running MPS application directly from within MPS, either anonymously or with your YouTrack or JetBrains Account credentials. When submitting issues using credentials (anonymous submissions are not affected by this), the supplied credentials are stored in an unencrypted file in the MPS configuration folder. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.
What actions we have taken
MPS 3.4.4 (and MPS 2017.1 EAP2) resolve this issue. These versions will upon first run, delete the file containing unencrypted data and will prompt the user for a password to protect the credentials in a new encrypted data storage.
What actions you should take
Please download MPS 3.4.4 available from https://www.jetbrains.com/mps/download/, install and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.
Products written using MPS are most likely affected by this vulnerability. If your product redistributes MPS code without modification, the class “jetbrains.mps.ide.blame.CharismaReporter” is responsible for logging an exception to the YouTrack bug tracker of the MPS project. In this case, similar issues with unencrypted YouTrack credentials storage may affect users of your product. We do recommend updating the MPS platform and shipping a new version of your product to end-users, and taking the necessary steps to notify them.
If you have replaced or plan on replacing the CharismaReporter class with another one, reporting possible exceptions directly to the proprietary bug tracking system of your product, or if your product contains code, which saves sensitive data using the IntelliJ’s platform PersistentStateComponent API (unencrypted), we suggest you replace these with the new encrypted storage API available on the IntelliJ platform.
If you need any further assistance, please contact our Support Engineers.
The Drive to Develop
-JetBrains MPS Team
Subscribe to Blog updates
Thanks, we've got you!
MPS Community Meetup 2023 is happening!
The MPS Community Meetup is back! Join us for the MPS Community Meetup 2023 in Munich on May 11 and 12. Like previous years, the event will be a series of talks from the community and the MPS team sharing the product’s status. Register today! The call for speakers is open! We are accepting talks…
Early Access Program for MPS 2022.2
As previously mentioned, we decided to skip MPS 2022.1 as we were too busy fixing issues from the last release and didn’t have enough time to prepare the new functionality. Now we have new features to present to give you a glimpse of what’s to come in MPS 2022.2. DOWNLOAD MPS 2022.2 EAP Annota…
MPS Is Skipping the 2022.1 Release
MPS 2022.1 was supposed to be released this month, but we unfortunately have to announce that this is not going to happen. The previous release, MPS 2021.3, was released late, which gave us a shorter time frame for fixing the bugs of the new features, while also developing functionality for MPS 2022…
The MPS 2021.2 Bug Fix Is Here
This is a special minor release containing primarily fixes that were requested by our support contract clients. In case you haven’t heard about our support program, we provide professional services to our clients to help them use MPS to achieve their goals faster. This business model allows us to ke…