News

Critical Security Issue Affecting TeamCity On-Premises – Update to 2023.05.4 Now

Read this post in other languages:

Summary

  • A critical security issue was recently identified in TeamCity On-Premises (initially discovered and reported to us by the team at Sonar).
  • This critical security vulnerability has been assigned the CVE identifier CVE-2023-42793 and presents the weakness CWE-288.
  • The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.
  • This vulnerability has been fixed in version 2023.05.4.
  • We encourage all users to update their servers to the latest version.
  • For those who are unable to do so, we have released a security patch plugin (details below).

Details

A critical security issue was recently identified in TeamCity On-Premises. If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server. 

All versions of TeamCity On-Premises are affected by this critical security vulnerability. It has been assigned the CVE identifier CVE-2023-42793 and presents the weakness CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This issue does not impact TeamCity Cloud, and we have already upgraded TeamCity Cloud servers to the latest version.

We have fixed this vulnerability in version 2023.05.4, and have already notified our customers. We will also be releasing additional technical details of the vulnerability soon. In the meantime, we strongly advise all users of TeamCity On-Premises to update their servers to 2023.05.4 to mitigate the issue.

To update your server, download the latest version (2023.05.4) or use the automatic update option within TeamCity.

If you are unable to update your server to version 2023.05.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on TeamCity 8.0+. It will patch the specific RCE vulnerability described above. For TeamCity 2019.2 and later, the plugin can be enabled without restarting the TeamCity server. For versions older than 2019.2, a server restart is required after the plugin has been installed.

Security patch plugin: for TeamCity 2018.2 to 2023.05.3 | for TeamCity 8.0 to 2018.1

See TeamCity plugin installation instructions for information on installing these plugins.

Important: The security patch plugin will only address the RCE vulnerability described above. We always recommend users upgrade their servers to the latest version to benefit from many other security updates. 

If your server is publicly accessible over the internet and you are unable to perform one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed.

A complete list of recently fixed security issues is available on the Fixed security issues page on the JetBrains website. You can also subscribe to receive notifications about fixes in all JetBrains products via email.

Frequently asked questions

Which versions are affected?

All versions prior to the patched version (2023.05.4) are affected by the issue. We recommend upgrading as soon as possible.

Is TeamCity Cloud affected?

This issue does not impact TeamCity Cloud, and we have already upgraded TeamCity Cloud servers to the latest version.

Is it possible to backport the fix to our version? 

We are not considering backports at this point. Please keep in mind that the plugin we have released mitigates this issue and is compatible with TeamCity 8.0+. 

Support

If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.

image description