News

Important Security Notice – MPS 3.4.4 fixes a security issue with local storage

One additional improvement to MPS 3.4 has been released – MPS 3.4.4 is now available for download. In addition to the usual dose of fixes, which you can check out in the release notes, this version fixes a security vulnerability.

What happened

On February 1, 2017, we discovered a security vulnerability in the MPS dialog for submitting exceptions to YouTrack. The dialog allows you to submit problems that occur in a running MPS application directly from within MPS, either anonymously or with your YouTrack or JetBrains Account credentials. When submitting issues using credentials (anonymous submissions are not affected by this), the supplied credentials are stored in an unencrypted file in the MPS configuration folder. While this does not pose an imminent security risk as the user folder is accessible only by the specific user, those that would be able to access this file could see the credentials exposed.

What actions we have taken

MPS 3.4.4 (and MPS 2017.1 EAP2) resolve this issue. These versions will upon first run, delete the file containing unencrypted data and will prompt the user for a password to protect the credentials in a new encrypted data storage.

What actions you should take

Please download MPS 3.4.4 available from https://www.jetbrains.com/mps/download/, install and launch the application.
If you believe that someone may have accessed your local home folder and potentially seen your credentials, we’d recommend changing these.

Products written using MPS are most likely affected by this vulnerability. If your product redistributes MPS code without modification, the class “jetbrains.mps.ide.blame.CharismaReporter” is responsible for logging an exception to the YouTrack bug tracker of the MPS project. In this case, similar issues with unencrypted YouTrack credentials storage may affect users of your product. We do recommend updating the MPS platform and shipping a new version of your product to end-users, and taking the necessary steps to notify them.
If you have replaced or plan on replacing the CharismaReporter class with another one, reporting possible exceptions directly to the proprietary bug tracking system of your product, or if your product contains code, which saves sensitive data using the IntelliJ’s platform PersistentStateComponent API (unencrypted), we suggest you replace these with the new encrypted storage API available on the IntelliJ platform.

If you need any further assistance, please contact our Support Engineers.

The Drive to Develop
-JetBrains MPS Team

image description