Important Security Notice – MPS 3.4.4 fixes a security issue with local storage

Vaclav Pech

One additional improvement to MPS 3.4 has been released – MPS 3.4.4 is now available for download. In addition to the usual dose of fixes, which you can check out in the release notes, this version fixes a security vulnerability.

What happened

On February 1, 2017, we discovered a security vulnerability in the MPS dialog for submitting exceptions to YouTrack. The dialog allows you to submit problems that occur in a running MPS application directly from within MPS, either anonymously or with your YouTrack or JetBrains Account credentials. When submitting issues using credentials (anonymous submissions are not affected by this), the supplied credentials are stored in an unencrypted file in the MPS configuration folder. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.

What actions we have taken

MPS 3.4.4 (and MPS 2017.1 EAP2) resolve this issue. These versions will upon first run, delete the file containing unencrypted data and will prompt the user for a password to protect the credentials in a new encrypted data storage.

What actions you should take

Please download MPS 3.4.4 available from https://www.jetbrains.com/mps/download/, install and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.

Products written using MPS are most likely affected by this vulnerability. If your product redistributes MPS code without modification, the class “jetbrains.mps.ide.blame.CharismaReporter” is responsible for logging an exception to the YouTrack bug tracker of the MPS project. In this case, similar issues with unencrypted YouTrack credentials storage may affect users of your product. We do recommend updating the MPS platform and shipping a new version of your product to end-users, and taking the necessary steps to notify them.
If you have replaced or plan on replacing the CharismaReporter class with another one, reporting possible exceptions directly to the proprietary bug tracking system of your product, or if your product contains code, which saves sensitive data using the IntelliJ’s platform PersistentStateComponent API (unencrypted), we suggest you replace these with the new encrypted storage API available on the IntelliJ platform.

If you need any further assistance, please contact our Support Engineers.

The Drive to Develop
-JetBrains MPS Team

Comments below can no longer be edited.

3 Responses to Important Security Notice – MPS 3.4.4 fixes a security issue with local storage

  1. smmribeiro says:

    March 22, 2017

    Hi Vaclav,

    What about older releases of MPS, are they affected by this security vulnerability, or it’s a 3.4+ issue?
    I’m particularly interested in version 3.3.5 (#143.1301).

    BTW: is there any EOL (End-Of-Life) policy on MPS versions?

    Regards,

    Sérgio Ribeiro
    Porto – Portugal

  2. Vaclav Pech says:

    March 22, 2017

    Hi Sérgio,

    yes, the issue with YouTrack credentials concerns older versions, as well, including 3.3.5.

    As an open-source project we, in general, provide maintenance and bug-fixes to public users for the two latest versions of MPS – the stable release (3.4 ATM) and the up-coming development version (2017.1). MPS 3.3 is outside of this range, unfortunately.

    Regards,
    Vaclav

    • smmribeiro says:

      March 22, 2017

      Ok. Thank you.

      Sérgio Ribeiro
      Porto – Portugal

Subscribe

Subscribe for updates