Search
  • Tim Burns

JetBrains Security Breach

While I was hoping to spend a focused day on development and writing, I was greeted by this:


Widely Used Software Company May Be Entry Point for Huge U.S. Hacking

Jetbrains has offered a statement denying it but the NYT is a credible source and if true, this is massive.


Jetbrains has denied the allegation.


November has the last security update.


https://blog.jetbrains.com/2020/11/16/jetbrains-security-bulletin-q3-2020/


Most developers only use IntelliJ or its derivatives like PyCharm should be aware of https://nvd.nist.gov/vuln/detail/CVE-2020-11690.


A vulnerability be can be innocuous by itself, but a good hack generally entails leveraging one vulnerability to open another. Jetbrains uses many 3rd party Python, Java, or other libraries in the IDE, and introducing a malicious host at the system level could exploit other vulnerabilities.


The best approach here is to upgrade your PyCharm and IntelliJ. Avoid TeamCity until we understand better how it was leveraged in the SolarWinds attack.


Here are some CVEs for Jetbrains.


https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=jetbrains&search_type=all


Critical and High:


https://nvd.nist.gov/vuln/detail/CVE-2020-25207 (Critical)

https://nvd.nist.gov/vuln/detail/CVE-2020-27623

https://nvd.nist.gov/vuln/detail/CVE-2020-25209

https://nvd.nist.gov/vuln/detail/CVE-2020-25013

https://nvd.nist.gov/vuln/detail/CVE-2020-15822

https://nvd.nist.gov/vuln/detail/CVE-2020-15827

https://nvd.nist.gov/vuln/detail/CVE-2020-15825

https://nvd.nist.gov/vuln/detail/CVE-2020-15824

https://nvd.nist.gov/vuln/detail/CVE-2020-15817

https://nvd.nist.gov/vuln/detail/CVE-2020-15823

https://nvd.nist.gov/vuln/detail/CVE-2020-11796 (Critical)

https://nvd.nist.gov/vuln/detail/CVE-2020-11795

https://nvd.nist.gov/vuln/detail/CVE-2020-11693

https://nvd.nist.gov/vuln/detail/CVE-2020-11691

https://nvd.nist.gov/vuln/detail/CVE-2020-11690 (Critical)

https://nvd.nist.gov/vuln/detail/CVE-2020-11688

https://nvd.nist.gov/vuln/detail/CVE-2020-11687




39 views0 comments