JetBrains TeamCity under attack by ransomware thugs after disclosure mess Security researchers are increasingly seeing active exploit attempts using the latest vulnerabilities in JetBrains' TeamCity that in some cases are leading to ransomware deployment. Brody Nisbet, director of threat hunting operations at security shop CrowdStrike, xeeted on Tuesday that telemetry was already showing signs of …
We don't have an alternative universe where JetBrains could quietly pretend nothing important was in the patch, apply it whenever - while miscreants (continue to) attack the holes thus silently disclosed.
So we cannot compare whether this universe is better or worse.
The security industry seems to have a pretty clear consensus that Jetbrains were wrong though. People don't update unless they are basically forced to (Microsoft/Apple approach), or the release notes indicates Really Bad Juju if you don't.
So a quiet security patch is bad. Users will simply ignore it for a very long time, while miscreants will not.
>pretend nothing important was in the patch
If proactively filing a CVE and emailing customers to motivate them to upgrade due to a security vulnerability or apply a patch when it became available is called "pretending nothing important was in the patch", then I definitely am in a different universe to yours.
>apply it whenever
TeamCity is an on-prem software, there is no way for JetBrains to "apply" any patch to force-update customers' software.
The article: "The situation has divided the cybersecurity community"
vs
You: "The security industry seems to have a pretty clear consensus"
Still, one could argue Rapid7 did JetBrains a big favour by making sure JetBrains' customers will be pissed off at Rapid7 instead of at JetBrains.
Rapid 7 have basically done the equivalent of shouting "Fire, Fire" in a packed cinema causing panic. When the cinema (JetBeans) had their own procedure for evacuating the cinema.
If I was an affected JetBeans customer, I'd be lawyering up to take on Rapid 7, for sure.
This is not about users, this is about companies that are customers of JetBrains. So JetBrains can contact them and advise to patch ASAP, explaining why. And then companies normally act. I have seen similar actions being taken by other vendors.
I think Rapid7 wanted to get the credits for finding the vulnerabilities. That is OK, but don't publicise ALL details, don't throw JetBrains under the bus because they are not communicating correctly. CVEs without details should have been published on day 1 of patch availability, but not full details. From day 1 the companies/customers can patch, so same or next day (change procedures) or wait longer at their own risk.
The best solution is to work together, this is a good example what happens if you don't!
Why publish the how-to at all, unless you're a complete self aggrandising wanker who wants to show off how clever you are. The people they're hurting aren't going to be buying anything from Rapid7, not before and definitely not after. Unless it's a bug bounty shake down merchant, in which case who's the one taking hostages here.
>Due to the uncoordinated disclosure of the two vulnerabilities between JetBrains and the researchers at Rapid7 who first discovered and reported the issues this week, all the information that was required for an attacker to develop a working exploit was made public on the same day the patches were released.
But wasn't that Rapid7's plan all along? Their policy clearly states they intend to publish full vulnerability details along with the patched software. It's weird to be shifting blame on JetBrains for this.
Coordinated or not, Rapid7 would be releasing full details anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
