Security Vulnerability Patch in YouTrack 6.5.17031

Posted on by Valerie Andrianova

Please welcome a fresh YouTrack 6.5.17031 update. This minor release is very important, because it contains a fix for the recently discovered vulnerability to XML External Entity (XXE) attack. It affects XML-based REST API, such as user import or command intellisense API. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the YouTrack host machine. This OWASP article explains the vulnerability in details.

We strongly recommend all our stand-alone customers to upgrade to the latest YouTrack 6.5.17031 build. If you’re using the older YouTrack version, please consider settings the following java start parameters to mitigate the attack:

-Djavax.xml.accessExternalDTD=

-Djavax.xml.accessExternalSchema=

-Djavax.xml.accessExternalStylesheet=

Please note, that parameter values are intentionally left blank. Please refer to the documentation if unsure how to set them.

All the InCloud servers are already upgraded to the latest build.

For more details about the changes made in this build, please check the Release Notes.

The Drive to Develop

– YouTrack JetBrains Team

Comments below can no longer be edited.

2 Responses to Security Vulnerability Patch in YouTrack 6.5.17031

  1. iad says:

    March 24, 2016

    You forgot to post the vulnerability finder. That’s impolite.

    • Valerie Andrianova says:

      March 28, 2016

      Please accept our apologies, and thank you once again, we really appreciate your help!

Subscribe

Subscribe for updates