Important Security Update for JetBrains Gateway

Read this post in other languages:
English, Français, 한국어, 简体中文

On December 27, 2021, we became aware of a security issue that exposes certain JetBrains Remote Development backend IDEs to the networks the server is connected to. This was a result of misconfiguration on our side.

The following IDEs were affected:

  • IntelliJ IDEA 2021.3.1 Preview (213.6461.21) and IntelliJ IDEA 2021.3.1 RC (213.6461.48)
  • PyCharm Professional 2021.3.1 RC (213.6461.6)
  • GoLand 2021.3.1 (213.6461.23)
  • PhpStorm 2021.3.1 Preview (213.6461.28) and PhpStorm 2021.3.1 RC (213.6461.58)
  • RubyMine 2021.3.1 Preview (213.6461.24) and RubyMine 2021.3.1 RC (213.6461.46)
  • CLion 2021.3.1 (213.6461.46)
  • WebStorm 2021.3.1 Preview (213.6461.19) and WebStorm 2021.3.1 RC (213.6461.38)

Users who initially configured their backend IDEs within the date ranges specified below are most likely affected:

  • IntelliJ IDEA: Dec 16–29, 2021
  • PyCharm Professional: Dec 15–30, 2021
  • GoLand: Dec 20–30, 2021
  • PhpStorm: Dec 17–30, 2021
  • RubyMine: Dec 16–29, 2021
  • CLion: Dec 22–29,2021
  • WebStorm: Dec 16–29, 2021

If you configured the backend IDEs before the dates above and you have not updated them, you should be safe. However, we recommend checking your backend IDE version just to make sure.

Actions we’ve taken

We fixed the issue on Dec 27, 2021 and we have released the following updates with the fix:

  • IntelliJ IDEA 2021.3.1 (213.6461.79)
  • PyCharm Professional 2021.3.1 (213.6461.77)
  • GoLand 2021.3.2 (213.6461.81)
  • PhpStorm 2021.3.1 (213.6461.83)
  • RubyMine 2021.3.1 (213.6461.75)
  • CLion 2021.3.2 (213.6461.75)
  • WebStorm 2021.3.1 (213.6461.79)

Actions you should take

If you use JetBrains Gateway with one of the vulnerable IDEs listed above as a backend for Remote development, please update to the fixed version of the corresponding IDE. If it is not possible for you to upgrade, please make sure that the environment variable ORG_JETBRAINS_PROJECTOR_SERVER_ENABLE_WS_SERVER=false is being set upon each launch of the Remote Development Server. This usually implies adding the line export ORG_JETBRAINS_PROJECTOR_SERVER_ENABLE_WS_SERVER=false  to the login shell profile of the user that is used to launch the server. Please make sure that the server is restarted after setting the variable. 

We sincerely apologize for what has happened. Please rest assured that we are taking steps to avoid this issue from occurring again in the future. 

If you need any further assistance, please contact support@jetbrains.com or simply comment on this post.

Discover more