The JetBrains Security Blog

SpringShell Vulnerability in JetBrains Products and Services

Ilya Pleskunin

What happened

On March 29, 2022, we became aware of the Remote Code Execution vulnerabilities CVE-2022-22963 and CVE-2022-22965 in several libraries of the Spring Framework, which is commonly used in web applications.

Our response

Together with the product teams we ran an audit of JetBrains web applications, including the products: YouTrack, Hub, TeamCity, Space, Datalore, and services: JetBrains Website and JetBrains Account.

None of the applications listed above use vulnerable versions of Spring or they don’t meet known exploitation criteria and are therefore not affected by the discovered security issues. Please refer to the following technical discussions concerning TeamCity, Hub, and YouTrack.

Other JetBrains products, including all IntelliJ Platform IDEs, .NET tools, Toolbox App, Code With Me, JetBrains Gateway, Kotlin, and Ktor are not affected by the issues as they are not web applications using the Spring Framework.

We will continue monitoring any further developments with these vulnerabilities.

We will also continue to test our products and services for security issues resulting from the use of third-party components, and update the versions of any such components as and when appropriate fixes become available.

Stay safe,

The JetBrains team

Security Bulletin Changes

Discover more

SOC 2 (Service Organization Control II) is a comprehensive audit framework developed by the American Institute of CPAs (AICPA). This framework assesses the controls a service organization has in place in terms of security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report evaluates the design and suitability of these controls. This means an external auditor has looked at our systems and processes and confirmed that they are designed in accordance with the SOC2 requirements.

For the last several years, we have published the JetBrains Security Bulletin on our blog and sent emails to Bulletin subscribers quarterly. However, this approach created an unwanted delay between the release of new versions and the publication of information about vulnerabilities. We also receive a lot of questions about vulnerable product versions from our customers.