WingNews logo WingNews
top | item 40674677

(no title)

mattjaynes | 1 year ago

I have a client who was using JetBrains' TeamCity CI product. Was a clown show of vulnerabilities that allowed attackers access to internals.

Do not use their products. If you must for some reason, be sure you subscribe to critical CVEs of the products you are using and update them immediately and rotate your credentials. Ideally re-install on a fresh server. Never have the service available via the public web, it will be hacked - only use their products behind a VPN.

https://blog.jetbrains.com/teamcity/2024/02/critical-securit... https://blog.jetbrains.com/teamcity/2024/03/additional-criti...

discuss

order

rf15|1 year ago

Their plugins are a (very) mixed bag, but saying to not use their products is a bit too alarmist if you ask me - the baseline IDE is doing fairly well, and teamcity and doing your GitHub-specific PR-stuff from within intelliJ is kind of niche overall I would assume (I've never used either, only the stock git client they have)

mattjaynes|1 year ago

That's fair. I have limited experience with the rest of their offerings. They only came onto my radar because of regular critical CVEs that needed urgent fixing. The communication from the company had no hint of apology - just "hey, better fix this before your server is p0wned" - which did not seem like they were to be taken seriously.

lyu07282|1 year ago

I kind of have to agree but their software products are huge, it's difficult to say if they are particularly bad. Don't expose their products on the open web is good advice but it applies to many products not just theirs (like gitlab/gitea).

https://stack.watch/product/jetbrains/

manquer|1 year ago

Android Studio is built on IntelliJ platform, this is not a choice a developer always can make

—-

P.S. yes it is possible to develop Android apps without studio, but it is painful to setup and manage , developers should not be fighting the system to do their jobs