* . *
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Wednesday, June 25, 2025
Earth-News
  • Home
  • Business
  • Entertainment
    George Lopez is coming to Spokane – KXLY.com

    George Lopez is coming to Spokane – KXLY.com

    Netflix unveils Dallas immersive venue for fans of hit shows like ‘Squid Game,’ ‘Stranger Things’ – Houston Chronicle

    Step Inside Netflix’s New Dallas Immersive Experience Featuring Hits Like ‘Squid Game’ and ‘Stranger Things

    ‘Puttin’ on the Ritz’: Civic Players bring ‘Young Frankenstein’ to life – Yahoo

    Civic Players Deliver a Hilarious and Unforgettable Performance of ‘Young Frankenstein

    ‘Wheel of Fortune’: Amputee Wins $60,000 After Breaking Incredible ‘Curse’ – Hastings Tribune

    Wheel of Fortune’ Amputee Breaks Incredible ‘Curse’ to Win $60,000!

    North Star Sports & Entertainment Network: Coming soon – KTTC News

    North Star Sports & Entertainment Network: Coming soon – KTTC News

    Safety concerns in Deep Ellum create apprehension as the entertainment district gains visitors – CBS News

    Safety Concerns Surge Amid Deep Ellum’s Booming Popularity and Growing Crowds

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

    Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

    China’s Military Introduces Mosquito-Sized Drones: A Game-Changing Surveillance Technology – Indian Defence Review

    China Unveils Mosquito-Sized Drones: Revolutionizing Surveillance Technology

    Marvell Technology Stock Rallies After AI Event Sparks Investor Optimism – Yahoo Finance

    Marvell Technology Stock Rallies After AI Event Sparks Investor Optimism – Yahoo Finance

    Promising Technology Stocks To Follow Today – June 22nd – MarketBeat

    Top Technology Stocks to Watch Today – June 22nd

    Technology Convergence Report 2025 – The World Economic Forum

    Technology Convergence Report 2025 – The World Economic Forum

    How AI can help make cities work better for residents – MIT Technology Review

    How AI can help make cities work better for residents – MIT Technology Review

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
  • Home
  • Business
  • Entertainment
    George Lopez is coming to Spokane – KXLY.com

    George Lopez is coming to Spokane – KXLY.com

    Netflix unveils Dallas immersive venue for fans of hit shows like ‘Squid Game,’ ‘Stranger Things’ – Houston Chronicle

    Step Inside Netflix’s New Dallas Immersive Experience Featuring Hits Like ‘Squid Game’ and ‘Stranger Things

    ‘Puttin’ on the Ritz’: Civic Players bring ‘Young Frankenstein’ to life – Yahoo

    Civic Players Deliver a Hilarious and Unforgettable Performance of ‘Young Frankenstein

    ‘Wheel of Fortune’: Amputee Wins $60,000 After Breaking Incredible ‘Curse’ – Hastings Tribune

    Wheel of Fortune’ Amputee Breaks Incredible ‘Curse’ to Win $60,000!

    North Star Sports & Entertainment Network: Coming soon – KTTC News

    North Star Sports & Entertainment Network: Coming soon – KTTC News

    Safety concerns in Deep Ellum create apprehension as the entertainment district gains visitors – CBS News

    Safety Concerns Surge Amid Deep Ellum’s Booming Popularity and Growing Crowds

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

    Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

    China’s Military Introduces Mosquito-Sized Drones: A Game-Changing Surveillance Technology – Indian Defence Review

    China Unveils Mosquito-Sized Drones: Revolutionizing Surveillance Technology

    Marvell Technology Stock Rallies After AI Event Sparks Investor Optimism – Yahoo Finance

    Marvell Technology Stock Rallies After AI Event Sparks Investor Optimism – Yahoo Finance

    Promising Technology Stocks To Follow Today – June 22nd – MarketBeat

    Top Technology Stocks to Watch Today – June 22nd

    Technology Convergence Report 2025 – The World Economic Forum

    Technology Convergence Report 2025 – The World Economic Forum

    How AI can help make cities work better for residents – MIT Technology Review

    How AI can help make cities work better for residents – MIT Technology Review

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
Earth-News
No Result
View All Result
Home Technology

Rapid7 hits out over botched vulnerability disclosure

March 6, 2024
in Technology
Rapid7 hits out over botched vulnerability disclosure
Share on FacebookShare on Twitter

Software development firm JetBrains and security specialist Rapid7 fall out over the handling of a critical vulnerability disclosure, while customers are left rushing to patch


Alex Scroxton

By

Alex Scroxton,
Security Editor

Published: 05 Mar 2024 21:31

JetBrains, the maker of a continuous integration and delivery (CI/CD) server platform called TeamCity, and cyber security firm Rapid7 are trading blows over the handling of two serious vulnerabilities in the service as customers rush to patch in the face of confirmed exploitation.

The two issues in question are tracked as CVE-2024-27198 and CVE-2024-27199. The first is an authentication bypass flaw in TeamCity’s web component via an alternative pass issue, with a CVSS base score of 9.8, meaning it is a critical issue. The second has the same effect, but has a CVSS base score of 7.3.

In a blog posting detailing the issues, Rapid7 principal researcher Stephen Fewer, who discovered the vulnerabilities, wrote: “Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artefacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.”

At the core of the disagreement lies a difference in approaches to vulnerability disclosure and patching.

The vulnerabilities were disclosed to JetBrains via its coordinated disclosure policy on Thursday 15 February 2024. JetBrains acknowledged this on Monday 19 February and reproduced the issues on Tuesday 20 February after being provided with technical analysis by Rapid7.

In Rapid7’s version of the narrative, JetBrains then suggested releasing patches privately before a public disclosure. It responded by emphasising the importance of coordinated disclosure, and outlined its stance against so-called silent patching.

Things then went quiet for several days until Friday 1 March, when Rapid7 went back to JetBrains and restated a request for more information about affected versions of TeamCity and vendor mitigation guidance. It was advised of the assigned CVE numbers, but otherwise told the issue was still under investigation.

Then, on Monday 4 March, with no communication to Rapid7, JetBrains published a blog announcing the release of the new version of TeamCity, which patched the vulnerabilities. Rapid7 said it expressed its concern that the patch was released without notification or coordination, and with no published advisories.

For TeamCity on-premise users, the botched disclosure means the ability to assess your risk factors has been taken away, and the only solution is to patch immediately

Under its own vulnerability disclosure policy, if Rapid7 becomes aware a silent patch was issued, it will “aim to publish” details of the vulnerability within 24 hours, which it has now done.

JetBrains has since published a blog on the issue, and an advisory, and stated that the CVEs were included in the release notes for the new version of TeamCity, but it has not directly responded to Rapid7’s concerns about the uncoordinated disclosure.

In JetBrains’ version of the story, it does not dispute it proposed what Rapid7 would term a silent patch, but maintained that this disclosure method followed its coordinated disclosure policy.

It said it wanted to follow this path to enable customers to make an informed decision about the risk level, to give them time to upgrade, and to stop less skilled attackers from exploiting the flaws in the interim.

JetBrains said it made a decision not to make a coordinated disclosure after learning that this would mean Rapid7 would publish full technical details of the vulnerabilities at the same time the patches dropped.

“To reiterate, we never had any intention to release a fix silently without making the full details public. As a CVE Numbering Authority (CNA), we assigned CVE IDs for both issues a day after receiving the report,” wrote Daniel Gallo, TeamCity solutions engineer at JetBrains.

“We suggested disclosing the details of the vulnerabilities in the same way we have followed in the past, with a time delay between releasing a fix and making a full disclosure, which allows our customers to upgrade their TeamCity instances.

“This suggestion was rejected by the Rapid7 team who published full details of the vulnerabilities and how to exploit them a few hours after we had released a fix to TeamCity customers.”

Silent patching: a bad idea

The approach to coordinated disclosure taken by Rapid7 is widely accepted and entirely normal within the cyber security world,

While JetBrains has not explicitly stated why it rejects this approach, writing in 2022, Rapid7’s principal security research manager, Tod Beardsley, offered a possible explanation when he said that taken at face value, silent patching might seem appropriate to some because it seems to limit the pool of people who understand the issue and how to take advantage of it.

“Silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users”

Tod Beardsley, Rapid7

Outlining why this is not the case, Beardsley wrote: “When a software company release a patch … at some point it’s got to modify the code on the running software, which means it’s all available to anyone who has a running instance of the patched software and knows how to use a debugger and a disassembler. And who uses debuggers to inspect the effects of patches? Exploit developers, almost exclusively.”

With this in mind, said Beardsley, silent patching in fact limits knowledge of the patched vulnerability to skilled exploit developers, that is to say threat actors, so while it is true that silent patching cuts out casual, low-skilled hackers and script kiddies, it also excludes the good guys, legitimate pen testers, the developers of defensive technologies, incident responders, and the entire cyber community who might benefit from being able to understand the issue better and communicate it effectively.

“Most significantly, you’re excluding the most important audience for your patch: the regular IT administrators and managers who need to sort out the incoming flow of patches based on some risk and severity criteria and make the call for downtime and update scheduling based on that criteria. Not all vulnerabilities are equal, and while protectors want to get around to all of them, they need to figure out which ones to apply today and which ones can wait for the next maintenance cycle,” he wrote.

Summing up Rapid7’s argument, Beardsley said silent patching communicates vulnerability details “exclusively” to the skilled cyber criminal attackers and nation-state actors who are already targeting the vulnerable product.

“All this is to say, silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users,” he concluded.

In the case of the new TeamCity vulnerabilities, the importance of coordinated disclosure takes on additional importance, given that previous issues in the service have been heavily exploited by none other than APT29, aka Cozy Bear, the cyber unit of the Russian foreign intelligence service (SVR).

For TeamCity on-premise users caught in the crossfire – cloud versions are fully patched – the guidance is simple: the botched disclosure means the ability to assess your risk factors has been taken away, and the only solution is to patch immediately.

Read more on Business continuity planning


Critical JetBrains TeamCity vulnerabilities under attack

ArielleWaldman

By: Arielle Waldman


Russian APT exploiting JetBrains TeamCity vulnerability

ArielleWaldman

By: Arielle Waldman


North Korean hackers exploit critical TeamCity vulnerability

ArielleWaldman

By: Arielle Waldman


Ransomware gang targets critical Progress WS_FTP Server bug

AlexanderCulafi

By: Alexander Culafi

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Computer Weekly – https://www.computerweekly.com/news/366572453/Rapid7-hits-out-over-botched-vulnerability-disclosure

Tags: botchedRapidtechnology
Previous Post

ALPHV/BlackCat gang vanishes amid ransomware ‘turmoil’

Next Post

Interview: How a fundraiser became more data-savvy

City council approves Sports Illustrated Resort – WBRC 6 News

City Council Gives Green Light to Exciting New Sports Illustrated Resort

June 25, 2025
MEPAG Search for Life – Science Analysis Group Science Community Virtual Workshops – astrobiology.com

MEPAG Search for Life – Science Analysis Group Science Community Virtual Workshops – astrobiology.com

June 25, 2025
Volusia County Marine Science Center reopens to the public – Spectrum News 13

Volusia County Marine Science Center Welcomes Visitors Once Again

June 25, 2025

Boss Lifestyle’ Ponzi Scheme Mastermind Admits Guilt in $23 Million Fraud Scandal

June 25, 2025
Exclusive | Stablecoin World Opens Up to Main Street Banks – WSJ

Exclusive | Stablecoin World Opens Up to Main Street Banks – WSJ

June 25, 2025
UK calls China a major challenge but an essential economic partner – AP News

UK Labels China a Major Challenge While Emphasizing Its Role as a Vital Economic Partner

June 25, 2025
George Lopez is coming to Spokane – KXLY.com

George Lopez is coming to Spokane – KXLY.com

June 25, 2025
Neera Tanden defends use of presidential autopen, denies covering up Biden’s health – WSYX

Neera Tanden Defends Use of Presidential Autopen, Rejects Claims of Concealing Biden’s Health Information

June 25, 2025
Blake Farenthold, 63, Congressman Who Quit in Harassment Case, Dies – The New York Times

Former Congressman Blake Farenthold, Who Resigned Amid Harassment Scandal, Dies at 63

June 25, 2025
Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

Defense technology giant Northrop Grumman to host interviews in Iuka to fill technician roles – supertalk.fm

June 25, 2025

Categories

Archives

June 2025
MTWTFSS
 1
2345678
9101112131415
16171819202122
23242526272829
30 
« May    
Earth-News.info

The Earth News is an independent English-language daily published Website from all around the World News

Browse by Category

  • Business (20,132)
  • Ecology (698)
  • Economy (716)
  • Entertainment (21,612)
  • General (15,555)
  • Health (9,755)
  • Lifestyle (721)
  • News (22,149)
  • People (718)
  • Politics (723)
  • Science (15,934)
  • Sports (21,213)
  • Technology (15,701)
  • World (696)

Recent News

City council approves Sports Illustrated Resort – WBRC 6 News

City Council Gives Green Light to Exciting New Sports Illustrated Resort

June 25, 2025
MEPAG Search for Life – Science Analysis Group Science Community Virtual Workshops – astrobiology.com

MEPAG Search for Life – Science Analysis Group Science Community Virtual Workshops – astrobiology.com

June 25, 2025
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

Go to mobile version