* . *
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Tuesday, September 23, 2025
Earth-News
  • Home
  • Business
  • Entertainment
    Caesars Entertainment (CZR): Assessing Valuation After Times Square Casino Setback and Mounting Investor Concerns – simplywall.st

    Caesars Entertainment Faces Times Square Casino Hurdles as Investor Concerns Mount

    Why Hilaria Baldwin Has Found the ‘DWTS’ Process ‘Embarrassing’ At Times – WFXG

    Hilaria Baldwin Opens Up About the Embarrassing Moments on Her ‘DWTS’ Journey

    Harvest Fest 2025 – yadkinripple.com

    Celebrate the Bounty: Harvest Fest 2025 is Coming!

    Fox News Entertainment Newsletter: Kate Middleton stuns during Trump state visit, Brett James dead at 57 – Fox News

    Kate Middleton Stuns During Trump State Visit; Remembering Brett James at 57

    Lara Beitz to headline Oshkosh show with top comedians at Time Community Theater Sept. 27 – Yahoo

    Lara Beitz to Headline Star-Studded Oshkosh Comedy Night on September 27

    Shakespeare (with a twist) in Grand Junction – Yahoo

    Experience Shakespeare Like Never Before in Grand Junction

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Meta to expand Montgomery data hub, pushing total investment to $1.5 billion – Alabama Department of Commerce

    Meta to Supercharge Montgomery Data Hub with $1.5 Billion Investment

    Agentic AI and the future of work: navigating technological promise and the risk of increased automation – Equal Times

    Agentic AI and the Future of Work: Embracing Innovation While Navigating Automation Challenges

    Technology alliance introduces system for stable recycling quality – RECYCLING magazine

    Innovative Technology Alliance Unveils Breakthrough System for Consistent Recycling Quality

    Pepper Pike council considers upgrading technology for streaming meetings, remote meeting participation – Cleveland.com

    Pepper Pike Council Explores Upgrading Technology for Enhanced Streaming and Remote Participation

    How Michelin Uses Technology to Rethink Tire Manufacturing: Interview – Motor1.com

    How Michelin’s Tech-Driven Revolution Is Transforming Tire Manufacturing

    Analysts Offer Insights on Technology Companies: Avnet (AVT), Nvidia (NVDA) and Atlassian (TEAM) – The Globe and Mail

    Experts Share Key Insights on Avnet, Nvidia, and Atlassian’s Future Prospects

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
  • Home
  • Business
  • Entertainment
    Caesars Entertainment (CZR): Assessing Valuation After Times Square Casino Setback and Mounting Investor Concerns – simplywall.st

    Caesars Entertainment Faces Times Square Casino Hurdles as Investor Concerns Mount

    Why Hilaria Baldwin Has Found the ‘DWTS’ Process ‘Embarrassing’ At Times – WFXG

    Hilaria Baldwin Opens Up About the Embarrassing Moments on Her ‘DWTS’ Journey

    Harvest Fest 2025 – yadkinripple.com

    Celebrate the Bounty: Harvest Fest 2025 is Coming!

    Fox News Entertainment Newsletter: Kate Middleton stuns during Trump state visit, Brett James dead at 57 – Fox News

    Kate Middleton Stuns During Trump State Visit; Remembering Brett James at 57

    Lara Beitz to headline Oshkosh show with top comedians at Time Community Theater Sept. 27 – Yahoo

    Lara Beitz to Headline Star-Studded Oshkosh Comedy Night on September 27

    Shakespeare (with a twist) in Grand Junction – Yahoo

    Experience Shakespeare Like Never Before in Grand Junction

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Meta to expand Montgomery data hub, pushing total investment to $1.5 billion – Alabama Department of Commerce

    Meta to Supercharge Montgomery Data Hub with $1.5 Billion Investment

    Agentic AI and the future of work: navigating technological promise and the risk of increased automation – Equal Times

    Agentic AI and the Future of Work: Embracing Innovation While Navigating Automation Challenges

    Technology alliance introduces system for stable recycling quality – RECYCLING magazine

    Innovative Technology Alliance Unveils Breakthrough System for Consistent Recycling Quality

    Pepper Pike council considers upgrading technology for streaming meetings, remote meeting participation – Cleveland.com

    Pepper Pike Council Explores Upgrading Technology for Enhanced Streaming and Remote Participation

    How Michelin Uses Technology to Rethink Tire Manufacturing: Interview – Motor1.com

    How Michelin’s Tech-Driven Revolution Is Transforming Tire Manufacturing

    Analysts Offer Insights on Technology Companies: Avnet (AVT), Nvidia (NVDA) and Atlassian (TEAM) – The Globe and Mail

    Experts Share Key Insights on Avnet, Nvidia, and Atlassian’s Future Prospects

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
Earth-News
No Result
View All Result
Home Technology

Rapid7 hits out over botched vulnerability disclosure

March 6, 2024
in Technology
Rapid7 hits out over botched vulnerability disclosure
Share on FacebookShare on Twitter

Software development firm JetBrains and security specialist Rapid7 fall out over the handling of a critical vulnerability disclosure, while customers are left rushing to patch


Alex Scroxton

By

Alex Scroxton,
Security Editor

Published: 05 Mar 2024 21:31

JetBrains, the maker of a continuous integration and delivery (CI/CD) server platform called TeamCity, and cyber security firm Rapid7 are trading blows over the handling of two serious vulnerabilities in the service as customers rush to patch in the face of confirmed exploitation.

The two issues in question are tracked as CVE-2024-27198 and CVE-2024-27199. The first is an authentication bypass flaw in TeamCity’s web component via an alternative pass issue, with a CVSS base score of 9.8, meaning it is a critical issue. The second has the same effect, but has a CVSS base score of 7.3.

In a blog posting detailing the issues, Rapid7 principal researcher Stephen Fewer, who discovered the vulnerabilities, wrote: “Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artefacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.”

At the core of the disagreement lies a difference in approaches to vulnerability disclosure and patching.

The vulnerabilities were disclosed to JetBrains via its coordinated disclosure policy on Thursday 15 February 2024. JetBrains acknowledged this on Monday 19 February and reproduced the issues on Tuesday 20 February after being provided with technical analysis by Rapid7.

In Rapid7’s version of the narrative, JetBrains then suggested releasing patches privately before a public disclosure. It responded by emphasising the importance of coordinated disclosure, and outlined its stance against so-called silent patching.

Things then went quiet for several days until Friday 1 March, when Rapid7 went back to JetBrains and restated a request for more information about affected versions of TeamCity and vendor mitigation guidance. It was advised of the assigned CVE numbers, but otherwise told the issue was still under investigation.

Then, on Monday 4 March, with no communication to Rapid7, JetBrains published a blog announcing the release of the new version of TeamCity, which patched the vulnerabilities. Rapid7 said it expressed its concern that the patch was released without notification or coordination, and with no published advisories.

For TeamCity on-premise users, the botched disclosure means the ability to assess your risk factors has been taken away, and the only solution is to patch immediately

Under its own vulnerability disclosure policy, if Rapid7 becomes aware a silent patch was issued, it will “aim to publish” details of the vulnerability within 24 hours, which it has now done.

JetBrains has since published a blog on the issue, and an advisory, and stated that the CVEs were included in the release notes for the new version of TeamCity, but it has not directly responded to Rapid7’s concerns about the uncoordinated disclosure.

In JetBrains’ version of the story, it does not dispute it proposed what Rapid7 would term a silent patch, but maintained that this disclosure method followed its coordinated disclosure policy.

It said it wanted to follow this path to enable customers to make an informed decision about the risk level, to give them time to upgrade, and to stop less skilled attackers from exploiting the flaws in the interim.

JetBrains said it made a decision not to make a coordinated disclosure after learning that this would mean Rapid7 would publish full technical details of the vulnerabilities at the same time the patches dropped.

“To reiterate, we never had any intention to release a fix silently without making the full details public. As a CVE Numbering Authority (CNA), we assigned CVE IDs for both issues a day after receiving the report,” wrote Daniel Gallo, TeamCity solutions engineer at JetBrains.

“We suggested disclosing the details of the vulnerabilities in the same way we have followed in the past, with a time delay between releasing a fix and making a full disclosure, which allows our customers to upgrade their TeamCity instances.

“This suggestion was rejected by the Rapid7 team who published full details of the vulnerabilities and how to exploit them a few hours after we had released a fix to TeamCity customers.”

Silent patching: a bad idea

The approach to coordinated disclosure taken by Rapid7 is widely accepted and entirely normal within the cyber security world,

While JetBrains has not explicitly stated why it rejects this approach, writing in 2022, Rapid7’s principal security research manager, Tod Beardsley, offered a possible explanation when he said that taken at face value, silent patching might seem appropriate to some because it seems to limit the pool of people who understand the issue and how to take advantage of it.

“Silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users”

Tod Beardsley, Rapid7

Outlining why this is not the case, Beardsley wrote: “When a software company release a patch … at some point it’s got to modify the code on the running software, which means it’s all available to anyone who has a running instance of the patched software and knows how to use a debugger and a disassembler. And who uses debuggers to inspect the effects of patches? Exploit developers, almost exclusively.”

With this in mind, said Beardsley, silent patching in fact limits knowledge of the patched vulnerability to skilled exploit developers, that is to say threat actors, so while it is true that silent patching cuts out casual, low-skilled hackers and script kiddies, it also excludes the good guys, legitimate pen testers, the developers of defensive technologies, incident responders, and the entire cyber community who might benefit from being able to understand the issue better and communicate it effectively.

“Most significantly, you’re excluding the most important audience for your patch: the regular IT administrators and managers who need to sort out the incoming flow of patches based on some risk and severity criteria and make the call for downtime and update scheduling based on that criteria. Not all vulnerabilities are equal, and while protectors want to get around to all of them, they need to figure out which ones to apply today and which ones can wait for the next maintenance cycle,” he wrote.

Summing up Rapid7’s argument, Beardsley said silent patching communicates vulnerability details “exclusively” to the skilled cyber criminal attackers and nation-state actors who are already targeting the vulnerable product.

“All this is to say, silent patching is tantamount to full disclosure to a very small audience who mostly want to hurt you and your users,” he concluded.

In the case of the new TeamCity vulnerabilities, the importance of coordinated disclosure takes on additional importance, given that previous issues in the service have been heavily exploited by none other than APT29, aka Cozy Bear, the cyber unit of the Russian foreign intelligence service (SVR).

For TeamCity on-premise users caught in the crossfire – cloud versions are fully patched – the guidance is simple: the botched disclosure means the ability to assess your risk factors has been taken away, and the only solution is to patch immediately.

Read more on Business continuity planning


Critical JetBrains TeamCity vulnerabilities under attack

ArielleWaldman

By: Arielle Waldman


Russian APT exploiting JetBrains TeamCity vulnerability

ArielleWaldman

By: Arielle Waldman


North Korean hackers exploit critical TeamCity vulnerability

ArielleWaldman

By: Arielle Waldman


Ransomware gang targets critical Progress WS_FTP Server bug

AlexanderCulafi

By: Alexander Culafi

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Computer Weekly – https://www.computerweekly.com/news/366572453/Rapid7-hits-out-over-botched-vulnerability-disclosure

Tags: botchedRapidtechnology
Previous Post

ALPHV/BlackCat gang vanishes amid ransomware ‘turmoil’

Next Post

Interview: How a fundraiser became more data-savvy

Statue of President Trump and Jeffrey Epstein titled ‘Best Friends Forever’ appears on National Mall – CNN

Best Friends Forever’: Controversial Statue of President Trump and Jeffrey Epstein Erected on National Mall

September 23, 2025
Tropical biodiversity loss from land-use change is severely underestimated by local-scale assessments – Nature

Tropical Biodiversity Loss from Land-Use Change Is Much Worse Than Local Studies Show

September 23, 2025
NIH launches $50M Autism Data Science Initiative to unlock causes and improve outcomes – National Institutes of Health (NIH) | (.gov)

NIH Launches $50M Autism Data Science Initiative to Uncover Causes and Improve Lives

September 23, 2025
Scientists make incredible discovery that solves dangerous issue with plastic: ‘We can help the world’ – Yahoo

Scientists make incredible discovery that solves dangerous issue with plastic: ‘We can help the world’ – Yahoo

September 23, 2025
10 money lessons Boomers learned young that still shape their life choices – VegOut

10 Powerful Money Lessons Boomers Learned Early That Still Shape Their Lives Today

September 23, 2025
Meta to expand Montgomery data hub, pushing total investment to $1.5 billion – Alabama Department of Commerce

Meta to Supercharge Montgomery Data Hub with $1.5 Billion Investment

September 23, 2025
Packers’ Josh Jacobs dealing with a super concerning rushing stat – Yahoo Sports

Packers’ Josh Jacobs dealing with a super concerning rushing stat – Yahoo Sports

September 23, 2025
U.S. and Israel against the world as Palestine dominates UN week – Axios

U.S. and Israel against the world as Palestine dominates UN week – Axios

September 23, 2025
Global economic outlook weakens as policy uncertainty weighs on demand – OECD

Global economic outlook weakens as policy uncertainty weighs on demand – OECD

September 23, 2025
Caesars Entertainment (CZR): Assessing Valuation After Times Square Casino Setback and Mounting Investor Concerns – simplywall.st

Caesars Entertainment Faces Times Square Casino Hurdles as Investor Concerns Mount

September 23, 2025

Categories

Archives

September 2025
MTWTFSS
1234567
891011121314
15161718192021
22232425262728
2930 
« Aug    
Earth-News.info

The Earth News is an independent English-language daily published Website from all around the World News

Browse by Category

  • Business (20,132)
  • Ecology (833)
  • Economy (853)
  • Entertainment (21,731)
  • General (17,201)
  • Health (9,896)
  • Lifestyle (866)
  • News (22,149)
  • People (856)
  • Politics (864)
  • Science (16,064)
  • Sports (21,353)
  • Technology (15,836)
  • World (837)

Recent News

Statue of President Trump and Jeffrey Epstein titled ‘Best Friends Forever’ appears on National Mall – CNN

Best Friends Forever’: Controversial Statue of President Trump and Jeffrey Epstein Erected on National Mall

September 23, 2025
Tropical biodiversity loss from land-use change is severely underestimated by local-scale assessments – Nature

Tropical Biodiversity Loss from Land-Use Change Is Much Worse Than Local Studies Show

September 23, 2025
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

Go to mobile version